Two new reports show two significant trends in the increasingly busy area of cyber security: Careless employees are a prime reason many companies’ databases are getting “phished” for data; and the rising tide of ransomware, where hackers freeze up a computer and demand payment to release it.
And in a majority of cases, it is small and mid-sized firms that are being targeted.
Don’t think you need to worry? Think again.
When these malicious code-bearing e-mails (phishing and ransomware alike) are sent, there is an 11% chance that an employee will click on the link that will let the phishing program gain entry into your database. If 10 employees receive such an e-mail, there is greater than a 90% chance that one of them will click on it.
Even worse, nearly 50% of users open e-mails and click on phishing links within the first hour. The median time to first click is just one minute, 22 seconds. You can see how the odds are stacked against you, since it’s so difficult to control the human factor.
In a more disturbing trend, the “Internet Security Threat Report” by Symantec Corp. noted that 60% of all targeted attacks strike small- and medium-sized organizations.
“These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver e-mail attachments. This puts not only the businesses, but also their business partners, at higher risk,” Symantec wrote in its report.
It’s important you understand these growing threats to your organization, and that you take steps to minimize the chances of your firm being hit.
Phishing
Phishing is an attempt to gain access to a database by masquerading as a trustworthy entity in an electronic communication. Phishing campaigns have evolved in recent years to incorporate installation of malware as the second stage of the attack.
In phishing, tainted e-mails, disguised as coming from a trustworthy source, are sent to employees and if just one person clicks on the link, it allows hackers to gain entry into the company’s database. At that point, they can write code to camouflage the presence of the malicious software, which will allow the hackers to root through the database to acquire sensitive information such as user names, passwords, and credit card details (and sometimes, indirectly, money).
While phishing seemed to be fading in 2013, Verizon Communications Inc., in its annual “Data Breach Investigation Report”, notes that the practice made a resurgence in 2014 largely thanks to employees clicking on links in bogus e-mails.
This human-error dynamic is a significant frustration for businesses that erect firewalls and use other cyber security methods to protect their company data.
Ransomware
The other growing threat is ransomware (also often the result of employees clicking on tainted e-mails). Once someone clicks on a link, malware infects the computer system and freezes some or all of its main functions.
After the system is rendered unusable (completely or to some degree), the company will receive a ransom e-mail telling it to pay a certain amount to unlock its computers.
Ransomware attacks more than doubled in 2014 to 8.8 million, from 4.1 million the previous year, according to Symantec. Put another way, there were 24,000 attacks per day, compared with 11,000 in 2013.
But Symantec notes that there is a worse threat in the ransomware category: crypto-ransomware. This threat grew 45 times, from 8,274 incidents in 2013 to 373,342 in 2014.
There are several different crypto-ransomware families, but their method of exploitation is the same. Rather than locking your desktop behind a ransom wall, crypto-ransomware encrypts your personal files and holds the private keys to their decryption for ransom at a remote site. This is a much more vicious attack than traditional ransomware.
Methods of infection vary, but commonly it’s via a malicious e-mail attachment purporting to be an invoice, energy bill, or image. The delivery often forms part of a service actually provided by different criminals from those executing the crypto-ransomware.
What you can do
The bigger question for companies is how to reduce the likelihood of infection. You can’t hire robots to open your e-mails, so you have to find ways to bird-dog those malicious e-mails before they reach your employees’ in-boxes.
The general areas that will give you the most bang for your buck are:
• Better e-mail filtering before messages arrive in user in-boxes.
• Developing and implementing a thorough security awareness program from the top to the bottom of your organization. That means including training on how to spot suspicious e-mails, quarantining them and resisting the urge to open e-mails from familiar-sounding names of people you don’t know.
• Improved detection and response capabilities.
The preferred method is to take measures to block, filter and alert on phishing e-mails at the gateway.
That said, no technological defense is foolproof, so your people are really your last line of defense.
One of the most effective ways you can minimize the phishing threat is through effective awareness and training.
One idea is to teach all staff to be your scouts and if one of them detects a suspicious e-mail, they can send it to your head of IT or a manager, who can decide to send out a warning to all the staff.
In other words, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology.