Keeping companies safe from determined cybercriminals is an everyday battle as threats continue to evolve and business practices change. For many security teams, the question remains: What steps should organizations take today, and what should they anticipate tomorrow?
According to Bhagwat Swaroop, EVP of email security for global cybersecurity company Proofpoint, the threat landscape has shifted away from traditional hacking of computers and networks. Now there are targeted attacks against people, specifically tricking users into clicking on nefarious content or taking an ill-fated action. These technically simple yet customized attacks often use social engineering to con people into becoming unwitting accomplices.
As a result, organizations need to look beyond firewalls and filters and adopt a “people-centric” approach to enterprise security.
While the nature of today’s cyberthreats has shifted, the main attack vector remains email. According to Verizon’s 2018 Data Breach Investigations Report (DBIR), email served as the main entry point in 96 percent of data breach cases. Because of this dynamic, Swaroop believes it is crucial that organizations prioritize security resources around their biggest challenge and most vulnerable communication channel, email.
Compounding the problem, employees can’t always recognize fraudulent emails aimed at stealing their credentials or getting them to wire funds. “While the security team is rightfully concerned with putting security solutions in place, it only takes one employee to unwittingly click on one suspicious email to let the bad guys in,” Swaroop notes. “That human tendency is just one reason why every security program needs to include security awareness training as part of its strategy.”
Earlier this year, Proofpoint commissioned a survey which found that 77 percent of global IT decision makers believe that their company is either “likely” or “very likely” to be targeted by email fraud in the next year. Email fraud attacks generally don’t contain malware payloads, but do resemble actual company emails by employing the same wording, logos, and familiar references to impersonate a trusted entity. They can also spoof real identities by masking fraudulent addresses.
“Social engineering is easy for bad guys to do,” Swaroop says. “They simply conduct search engine or LinkedIn research on their potential victim. It’s much easier and far less expensive than cracking an encrypted database or finding a backdoor into a corporate network. Why would cybercriminals go through the trouble of trying to break through the door when an employee can open it from the inside with a simple click? That’s why phishing campaigns are particularly prevalent now – they’re quick, easy, cheap, and highly effective.”
Phishing attacks are also very effective in industries that regularly deal with outside vendors. “If I get an email from somebody in the same company, I might already know the individual and can always pick up the phone and confirm that the person who sent me the email is the person I know,” Swaroop says.
But when you work in a large network of sister companies, partners, outside vendors or third-party suppliers, you often must trust strangers at face value. Transactions happen at arms’ length, and the employees making the payments are not always the employees with the relationship to the organization, making verification a more cumbersome task.
Attackers’ mindset
Once they’re in, what are attackers after? While their motives are often financial in nature, there are other possibilities as well. These include accessing embarrassing information, mapping out an organization’s organizational chart for future attacks, hijacking an email conversation, obtaining trade secrets, or stealing intellectual property.
“It’s a spectrum,” Swaroop says. “Whatever the motive, the cost and difficulty for launching a phishing attack is marginally low – almost zero. For the victims, however, it’s a different story.”
Often when an employee’s personal information is stolen, it has lasting consequences. One of the most insidious things about phishing attacks is how swift they can occur without the victim’s knowledge. There’s also the residual damage inflicted onto others. “One compromised employee can expose their entire company to the same threat—all it takes is one click,” Swaroop says.
Doing something
So, what is the ideal security solution? Foremost, Swaroop believes organizations must think from an attacker’s perspective and understand who is being targeted, through what means, and their role in the company.
Attackers typically pursue people with access to important data and those who are likely to make a mistake and expose a critical cache of information. Once organizations understand who among their employees are the most targeted, they can develop a people-centric security strategy to best protect them. Keep in mind at some companies a compliance officer might be a bigger target than the COO. It’s all about who can access what data.
“In the end, it’s a numbers game. Think about an organization being targeted by hundreds of attacks. If there are methods you can put in place that automatically block 95 percent of those attacks in the cloud before they hit the email gateway, then your security team is working with a much more manageable number,” Swaroop says.
Organizations should also put systems in place like sender authentication, dynamic email classifications, machine learning capabilities and display name spoofing defense techniques. They should be on the lookout for any shady domain names that almost match a website. It’s also important to complement security technology with consistent employee security awareness training.
“Each of these best practices protects a certain percentage of attack vectors,” Swaroop said. “A combination of all these techniques applied together should put organizations in a better position to prevent email fraud.”