Mika Aalto
Despite the availability of sophisticated new hacking technology, email remains the strategic weapon of choice for hackers. That will hold true as email attacks intensify across the planet, executed both by profit-motivated cybercriminals as well as the state-sponsored threat actors expanding their operations in unprecedented fashion, as reported in the New York Times in June.
Unlike highly sophisticated hacking and surveillance tools, email is virtually untraceable. In Star Trek terms, a highly sophisticated cyberattack is like a Romulan cloaking device followed by plasma torpedos; the method of attack, available to but a few, reveals the attacker, as the fancy stuff requires significant resources and know-how to obtain and use.
Many people lack the instincts and training to outsmart an email attack. The human element, mostly email-originated, was responsible for 82% of data breaches in 2021, according to the most recent Verizon Data Breach Investigations Report (DBIR).
Breaches broke records in terms of financial damage and sheer volume in 2021, headlined by ransomware attacks on critical infrastructure and supply chain at Colonial Pipeline, JBS and Kaseya, to name a scant few. A scary peek into the future of ransomware and cyberattacks has been pummeling the Costa Rican government in waves since the spring of 2022 courtesy of the Russia-linked Conti ransomware-as-a-service group. Their extortion demands include millions of dollars and regime change.
Guess what each of these breaches has had in common? Email. A single click has brought whole governments to a standstill. And it’s only going to get worse.
Cybercriminals increasingly need to strike from the anonymous shadows to get paid. Due to international tensions, more and more criminal groups like Conti and REvil are on a list of international sanctions that make it illegal to pay their ransoms. To get around that, Conti has been breaking up and re-forming into new sliver cells, like those attacking the Costa Rican government. That’s why criminal groups are opting for email; anonymity enables extortion payments.
Phishing attack templates and malware have also gotten alarmingly good recently. From the millions of email threats my company has analyzed, we’re seeing more and more spoofs that are nearly indistinguishable from the real thing.
People aren’t prepared for what’s coming. Advances in deep fake and A.I. technology are making us literally question our reality at all times. “Is my CEO really telling me to buy tens of thousands of dollars of gift cards to pay this invoice?” (Propaganda, misinformation and fake news are beyond the scope of this article, but it also plays into our sense of unreality.)
A Multi-Trillion-Dollar Gravy Train Built On Inboxes
To be sure, the people, processes and technology constituting a holistic cyberdefense must all work together. But to overlook email as many leaders have—and to neglect building the cybersecurity instincts and habits in employees that minimize phishing breaches—is a massive mistake that the bad guys are counting on us making.
Email attacks have transformed risk management. After 2021’s “Year of ransomware” collapsed the cyber insurance industry, premiums shot through the roof while coverage shrank. Many can’t even get cyber insurance. Meanwhile, government compliance and regulations are tightening. Together, it's leaving cyber risk management in uncharted territory.
Demand for effective solutions at the human layer of cybersecurity will thus only increase. For instance, only 3% of cybersecurity spending goes to awareness, according to research by Perry Carpenter and Kai Roer. I think that proportionality will change this year.
It’s important to establish a strong security culture that keeps your people and, by extension, your organization safe. Devices will continue to proliferate outside the office in the pandemic-driven shift to remote work and the cloud. Security itself must continue beyond the office as well.
Depending on the security culture you and the CISO agree to build around your business goals, you might incorporate these foundational principles:
• Make password managers and multifactor authentication compulsory for your workforce.
• Endpoint detection and response solutions give security teams better visibility into potential incidents happening in their users’ gadgets.
• The Zero Trust model rose from the ashes of the pandemic-driven shift to the cloud and remote work to tighten security in the new normal’s hybrid work environment.
• Enforce immediate software updates and patches on all employee devices. This is such a simple but necessary security step that too often goes overlooked.
Don’t Forget Email
Paraphrasing awareness expert, George Finney in his book Well Aware, people aren’t the weakest link in a security system; they are the only link. And as most of our good and bad actions are based on habits, he argues, the key to better security outcomes is changing people’s email habits.
People can learn cyber street smarts. Ira Winkler, chief security architect of Walmart and author of Security Awareness for Dummies, has long cited the behavior design research of Stanford’s B.J. Fogg, to advocate for transcending mere awareness and actually building good cybersecurity habits. It’s all about continuous practice in a reward-based program at the individual’s ideal level of difficulty.
Cybercriminals will never quit email. That’s why we can’t quit on phishing training.
No matter how tight your technical filters are, malicious emails will always slip through. At that point, all that’s standing between attackers and your crown jewels are the good email habits fueling your human firewall.
No comments:
Post a Comment