Over the past century there have been tremendous improvements in our ability to use and defend cyber systems. Technology itself has changed drastically from our heavy vacuum tube computers in the 1950s to the world we see today, teeming with mobile devices, the Internet of Things, Cloud computing — and the next big idea.
However, in every piece of technology we have created, there has been a single vulnerability, a common issue that plagues every engineer and programmer: the human element.
Until the 1990s, humans primarily caused issues through inadvertent mistakes: fat fingering the wrong code, entering data in a way that no one considered, forgetting an important task or process. But over time, we have seen other humans — those with malicious intent — exploit these weakness in new and innovating ways. So much emphasis is put on cutting-edge technologies that defend and fight our networks, but very little is written about the greater risks posed by the fallibility of people that move our businesses forward on a daily basis.
So, where are the greatest points of risk? While there is no one answer for every enterprise, every person that is a part of the business ecosystem can contribute to “the insider threat”: authorized users that impact the security of the systems they use, intentionally or unintentionally. This includes employees in every department, vendors, partners, even customers. People have an innate desire to make things easier and accept risk by compromising security, usually without realizing it. Use a four-digit PIN instead of a password — sold. Use the same PIN across my ATM and all my systems — done. Make my shopping experience easier by doing one-click with no authentication — sign me up.
In our hectic, busy lives, people often unknowingly accept risk in the name of simplifying chaos without fully understanding the impact, and cybersecurity professionals are constantly trying to work around and respond to our bad habits.
We cannot accept the risk when we are unaware of the threats and their impact.
The majority of cybersecurity breaches introduce malware by simply sending a malicious email to targets and hoping they fall for the bait. Whether it’s an email attachment such as a funny photo, video, spreadsheet or Word document, or a link to a malicious website, it is just as easy for an attacker to get someone to fall for their tricks today as it was 20 years ago. In fact, many believe it is even easier today because the attack tools are automated and free for purchase. No IT savvy is needed.
Coalfire conducted cybersecurity engagements for more than 2,500 clients in the past two years and analyzed the data from our phishing attacks. Companies hire us to test their defenses to see how well they work and what their susceptibility is to an attacker.
The data is sobering — during nearly 100 percent of our phishing campaigns, we can get people to do things they shouldn’t. And usually we can lure in about 10 percent of the population. You may think a 90-percent defense rate is an “A,” but in cyber warfare it means the bad guys have the upper hand. (Imagine if the food you ate was safe for consumption 90 percent of the time?)
The accompanying chart, drawn from a Coalfire report to be released in early 2018, shows our penetration testers’ rate of success in phishing campaigns conducted on a representative set of 10 customers. No customer was left unscathed: The most successful company saw a 1 percent click rate; most of our customers saw 5 percent-plus; and one as high as 33 percent. These customers invested considerable time, training and money into defending themselves — and yet, one in three people still did the wrong thing.
So, what does a bad guy do with a phishing scam? Ransomware, which freezes data assets by encrypting them until payment is received (usually via cryptocurrency), is one potential result.
Ransomware has exploded from a nearly nonexistent form of crime three years ago into a $2 billion-plus market. This blight on the cyber domain has interrupted operations of critical organizations such as hospitals — and is frequently enabled by phishing. According to most reports, phishing has been the primary ransomware introduction method in a steadily growing number of incidents, a trend that is likely to continue to grow. Infected websites are another significant method of delivery, and many of these websites attract visitors through, you guessed it, phishing attacks.
So, what is the solution to the human vulnerability conundrum? The answer is both simple and complicated: training and technology.
Companies that have good cybersecurity training and awareness are less susceptible to phishing. They will think twice before clicking that link or downloading that file. They will also react quicker and get help if they know what to do. Additionally, it’s essential to leverage information technology systems to identify likely scams, remove or quarantine the emails, and learn from one mistake and apply it to others.
In order to stop phishing, we also have to remove humans from the loop to the greatest practical extent and leverage technology.
We are, and always will be, the unknown parameter in an increasing digital world. Don’t fight it, embrace it — it’s this unknown, unpredictable aspect that makes us human. But if we hope to win in the war against cyberthreats, we must limit the consequences of our actions through better training and technology.
• Tom McAndrew is Chief Operating Officer at Coalfire, an independent cybersecurity advisory that provides independent assessments, technical testing, cyber engineering, and cyber risk management services to private and public sector companies. A graduate of the U.S. Naval Academy, Tom is one of the leading experts in cybersecurity, with expertise in Cloud ecosystems, cfinancial services, retail and government security strategies. He is a member of the National Association of Corporate Directors, serving on several boards, and was recognized as one of the top influencers in the Federal Government (FCW Federal 100 Award).
Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.