“Don’t let your users be the first line of defence. Don’t let your people guess what’s a legitimate email and what’s a malicious email.” That’s the view of Adenike Cosgrove, cybersecurity strategist for EMEA at Proofpoint. Speaking to CBR TV, Cosgrove argued that the human factor is increasingly important in the fight against cybercrime and that organisations ignore it at their peril.
“A few years ago it was very much about the vulnerability of the network – it was the servers, devices and software,” she said. “And that’s how [criminals] gained access into the network and compromised data or stole credentials. But fast forward to today and there’s been a shift. And that shift has been to targeting the individual.”
“People are the weakest link and they’re the vulnerability criminals are going after.”
According to Proofpoint’s Human Factor Report 2017, business email compromise (BEC) attacks are on the rise, up 45 percent year-on-year. A BEC attack differs from more traditional forms of cyber criminality. There is no malware, attachment or payload. Instead, it takes the form of a simple text-based email sent to an individual who is encouraged to share business-critical information, release funds or act in other ways that may compromise the organisation.
BEC succeeds because the message appears to have been sent by someone who has sufficient authority and credibility within the company that the recipient is inclined to act as instructed.
“It’s pure social engineering,” explained Cosgrove. “Businesses are losing millions, they are losing IP, they’re losing PII [personally identifiable information]. And in this new world of regulation and compliance we have to take this threat seriously because it has huge implications potentially to the bottom line of business.”
To combat this relatively new style of attack requires greater visibility of a business’s threat exposure. “We can’t protect our organisation if we don’t know who is trying to attack us, what they are trying to target,” said Cosgrove. “It’s important to get visibility that gives you real-time intelligence into the attackers trying to target you and what information they are trying to obtain.”
“So as much as possible, implement solutions that block the vast majority of these attacks,” she added. “Understand who is trying to target you, understand the data. Then implement solutions that protect that data and block as many threats as possible from landing in the inbox.”
Ultimately, said Cosgrove, there is no “silver bullet” when addressing cyber security. Instead, she advised taking a multi-layered approach that addresses people, processes and technology.
“On the people side we have to continue to train our employees – to train our customers even – around the evolving threat landscape, and around the risks that they face as they continue to work in these new ways using social, mobile and email technologies.
“Then there’s process. In the case of business email comromise, we have to have checks and balances in our businesses to prevent users internally wiring large amounts of money to people we haven’t authenticated. And finally, technology. Implement solutions that block these attacks from getting into the inbox in the first place, remove that guess work for users.”