As Internet users become more attuned to well-known spamming and phishing attacks, cyber criminals have to invent new ways to lure them into opening a malware-laden email or clicking on a link that goes to a malicious website. For instance there is no denying that avid newsreaders will be more inclined to click on headlines around breaking news stories and hot button issues without second thoughts, as opposed to emails with fishy subject headers.
Indeed, an information security system is only as strong as its weakest link. Unfortunately, the truth remains that individuals are a weak link in the battle against cyber criminals. Many continue to click on links or attachments sent over email without taking any steps to verify the origin of the email validity of the link or attachment. It only takes one click for an attacker to establish a foothold in the target's systems.
The 2013 Verizon Data Breach Investigations Report found that sending just three emails per phishing campaign gives the attacker a 50 per cent chance of getting one click. With six emails the success rate goes up to a whopping 80 per cent, and at 10 it is virtually guaranteed. Social media helps spur success, enabling cyber criminals to gather information about us so they know how to more effectively entice targets to click on that malicious email. To provide more context on the business impact of such attacks, India recently emerged as the top nation across the Asia Pacific region in terms of phishing attacks by volume, according to RSA. This meant that in 2013 alone, the country experienced an estimated loss of US$225M.
With the rapid technological advances, it is without a doubt that security as a people problem is not going away anytime soon, and the advent of the Internet of Everything is only going to make this more of an issue. Not only will users inadvertently expose their systems to malware from laptops and tablets, they will also be able to click on links from their smartwatches and cars, amongst others. It won't take long once that malware is on their device for it to proliferate across the entire network and any connected devices, simply from a seemingly trusted news link sent from a "friend's" email address.
In order to address this growing concern, there is a need for businesses to move beyond securing devices and data to addressing the people and process aspects of this problem through education. Organisations must recognise this gap in their security and implement internal programs to ensure that users know how to identify and cease to click on potential malware. In addition, users should also understand when and how to inform the organisation of any suspicious occurrences, so future attempts can be minimised and/or blocked.
Sign up for Computerworld eNewsletters.