It’s becoming increasingly clear that weak passwords and phishing offer far easier mechanisms for breaking into most organisations than exploiting software vulnerabilities. Email and the human threat vector are effectively seen by attackers as the weakest security links within most organisations. This should come as no surprise, given that email itself, like much linked to the early Internet was developed without much though given to information security. As a result, the vast majority of email communications continues to be inadequate in verifying user authenticity, and increasingly sophisticated professional criminals and state-level actors have access to a vast treasure trove of information on individuals within sites such as LinkedIn, Twitter, Facebook, personal information aggregating sites, business and national registries, along with information taken from a multitude of breaches.
A recent threat report finds that the frequency of email fraud attacks and the number of individuals targeted per organisation are continuing to rise. Attackers are also looking to make phishing even harder to detect, via new tactics such as using AI to monitor executives’ online behaviour, and AI-enabled chatbots to lure users into clicking on malicious links. Universities are also becoming a desirable target, with researchers detecting nearly 1,000 phishing attempts hitting at least 131 universities in 16 countries over the last year.
Emails attempting to steal corporate credentials have increased over 300% between the second and third quarters of 2018. The threat of such attacks are amplified by employees’ worsening security habits. A survey of 1600 global employees found that 75% of respondents reuse passwords across both personal and professional accounts, a figure which has drastically increased. 18-25-year-olds are reusing passwords at a particularly high percentage, suggesting that younger employees have perhaps less security experience and/or are simply less security inclined. Particularly worrisome for most organisations should be the finding that 15% would consider selling their workplace passwords to a third party. This highlights the significant insider security threat often overlooked by many companies.
State-level actors have also been accused of targeting businesses through phishing. In one case, spear-phishing emails were sent to hotel staff in at least seven European countries and one Middle Eastern nation. Opening the email’s .doc attachment deployed malware on the hotel machine that then infected equipment that controlled internal and guest Wi-Fi networks, allowing those responsible to attack people of interest.
Weak information security policies, insufficient awareness, inadequate enforcement and insecure system configurations often lead to an increased level of threat in all of these areas. In some cases information security awareness training is viewed as an inconvenience that is carried out (if at all) upon hire or annually without any further follow-up. This fails to support information retention and positive habitualisation by the trainee. Only a sustained and well-planned year-round information security awareness programme can ensure that organisations prepare themselves for hostile actors and prevention of insecure internal practices.
Given that emails continue to be the cyber-criminals’ vector of choice for distributing malware and phishing, the right course of action for organisations would be to address this major threat by reviewing and improving information security awareness programmes. In particular, regular and strategically planned phishing awareness exercises should be carried out to raise the alertness levels of employees to this threat. Digital signatures and email security software can also be deployed as further threat mitigating measures. While risk mitigation measures will seldom eliminate a threat, such measures combined with more secure system configurations, should go a long way towards significantly mitigating this sizeable threat, which is likely set to further grow through the use of more advanced AI attacks.