By Brian Pinnock
Email attacks are cheap, easy, low risk and high reward. And based on the recently launched 2019 State of Email Security Report, they are on the rise: 53% of South African companies saw an increase in phishing attacks containing malicious links or attachments in the past year, and 63% reported increases in impersonation fraud.
Not only is the volume of attacks increasing, they are becoming more sophisticated and the pace at which criminals are innovating is cause for immense concern. A single email breach can hit your revenue and reputation hard.
Protecting against this is not easy. The sheer number of emails that pass through an organisation each day complicates the process of securing yourself from email-borne threats. In fact, Mimecast’s latest Email Security Risk Assessment, an aggregated report of tests that measure the efficacy of widely used email security systems, found that many email attacks, ranging from opportunistic spam to highly targeted impersonation attacks, are getting through incumbent email security systems.
It found that 26,305,457 spam emails, 27,156 malware attachments, 55,190 impersonation attacks and 466,905 malicious URLS, were all missed by these incumbent providers and delivered to users’ inboxes.
Don’t underestimate the enemy
Are we – as business and IT leaders – sometimes guilty of underestimating cybercriminals? Thinking of them as lone thieves out to make a quick buck ignores the fact that cybercrime is now driven by criminal organisations that rival the drug trade in size and scope. It’s a well-oiled, thriving multinational criminal enterprise that is expected to cost the global economy $6 trillion by 2021.
According to the South African Banking Risk Information Centre (SABRIC) it costs South Africa R2.2-billion a year. In fact, South Africa currently has the third-highest number of cybercrime victims worldwide, with mobile banking losses alone increasing by 100% over the past year, according to the latest SABRIC data.
Thinking of cybercriminals as part of complex business structures that rival your own helps you keep up with them more effectively. Rather than thinking of a clandestine hacker working out of a basement, you need to see it for what it is: a sophisticated, professional operation working out of an office tower, replete with systems, top talent, and a drive to succeed. And since cybercrime is a highly lucrative business, you can assume they’re well-funded too.
Understanding cyber risks
To strengthen your cyber resilience, you need to first understand what the cybersecurity risks are, and that cyber resilience starts with email. Email is the number one channel for breaching organisations’ defences. Phishing is the leading email attack type: fraudulent emails written under the guise of an important stakeholder, such as a bank, SARS, or regulator that solicits an unsafe action from the recipient, for example clicking on a seemingly innocuous link that exposes personal or company information or triggers a malware install.
These types of attacks are untargeted and rely on volume and human weaknesses to break through cyber defences. The amount of information we readily share online, and the speed at which we use internet-based services, leaves us exposed to clever tricksters.
Spear-phishing attacks are far more sophisticated. Emails are targeted at specific individuals or organisations for which the attacker has extensive information. Think of them as targeted ads for premium customers. There are significant increases in more sophisticated types of targeted attacks, such as impersonation fraud, recorded in South Africa.
Data from The State of Email Security Report shows that 38% of South African organisations saw an increase in impersonation fraud involving email-based spoofing of vendors or business partners asking for money, sensitive intellectual property, or login credentials. Thirty-three percent also saw an increase in impersonation fraud involving CEOs and other high-ranking company executives. Even the largest tech companies fall prey to this type of attack: workers at Facebook and Google fell for an impersonation fraud scam that nearly cost them $100 million (R1.4 billion).
Ransomware is one of the more well-reported types of attacks. The most worrying aspect of a ransomware outbreak is its tendency to disrupt entire organisations by freezing critical IT systems. It is a type of malware that locks victims out of their IT systems or data; to regain access, you need to pay a ransom.
What you need to ask yourself to protect yourself
You need to adopt a competitive mindset if you’re going to have any hope of staving off the myriad cybersecurity risks endangering your data – and your business. Think: how would someone make money from attacking your organisation?
What data or systems would fetch the highest ransom in the event of a successful attack? What is easiest to monetise on the black market?
Which employees hold the most financial power or influence? Who are their associates? How would you trick them into exposing sensitive information? How much information about them is available online, and can that information be used in the service of impersonation fraud?
Which systems, data or business process are absolutely essential to the organisation’s survival?
Which partners or suppliers have access to the organisation’s digital assets?
Once you can answer these questions, you can get to work on improving your cyber resilience. Starting with email, employ advanced security controls that include a modern, secure email gateway system instead of just an email security system that focuses purely on stopping spam or known types of malware. Threats are no longer just sent to all and sundry with a ‘hope-for-the-best’ attitude; cybercriminals are too clever for that. A standard email security system is not going to stop targeted threats.
Remember that security is a business problem more than it is an IT problem. Treat it as such. Understand the value of your data: after all, it’s the bargaining chip in every ransomware attack. Have powerful backup and recovery capabilities to restore systems and data quickly and with minimal interruption to the business. Are you patching your system vulnerabilities as soon as possible? Many attacks capitalise on unpatched systems. Abandon your old, unsupported operating systems and applications and never use pirated software.
Finally, remember that your employees are your last line of defence. Train them. Give them the knowledge and tools to spot and avoid cyber risks. Make security a critical part of your organisation’s culture.
Only 1% of South African organisations think end-user training and awareness is not important; and yet, only 63% have included end-user awareness in their cyber resilience strategies. Your employees are your most valuable resource; they become even more valuable when they are clever and cautious. – GeekWire.co.za
Brian Pinnock is a cybersecurity expert at Mimecast.