According to the 2016 report Internet Organised Crime Threat Assessment (iOCTA) 2016 from Europol’s European Cybercrime Centre (EC3), cyber crime continues to rise, and in some member states incident counts now exceed those of traditional crimes. This is in spite of the avalanche of new regulations and security standards being designed and implemented. While it is true that cyber criminals continue to get more sophisticated, that is not the real problem. There is a premium emphasis on social engineering avenues for breaching security measures. Simply put, people continue to be targeted as the potential “weak link” in the security chain.
The iOCTA report identifies the dark net as being the favorite marketplace of cyber criminals for buying and selling tools and resources to engage in cyber crime. Combined with Bitcoin as the preferred currency, there is a measure of anonymity and secrecy around their actions. This means anyone from an individual with a grudge to organized crime families or state sponsored terrorist organizations can obtain virtually anything they need to instigate DDoS attacks, Ransomware exploits or Phishing scams.
While there has been an increase in deliberate or active cyber crime areas like child pornography and credit card payment fraud, there is also continued growth in socially engineered crimes. Here is where the real challenge becomes apparent. Even the most hardened systems and firewalls can be defeated by people doing what people do – caring. One of the harshest statements in the iOCTA report is this;
“the majority of reported attacks are neither sophisticated nor advanced” and mostly work “because of a lack of digital hygiene, a lack of security by design and a lack of user awareness”.
In other words, the majority of attacks could be prevented. Another study by AT&T states that over 90% of attacks they log could be prevented! Phishing scams are still a major “user awareness” issue. Phishing is older than email, but email has enabled an explosion in volume and quality. Current practices are crafted to take advantage of human nature, appealing to recipients to provide aid and relief to victims of recent disasters. Often the originator will plagiarize a legitimate relief organization’s logo to look more credible. The double-whammy often is that in addition to stealing your donation and credit card information, they may also be depositing malware or ransomware within your computer!
What has become apparent is that traditional corporate “safe computing” training methods are not getting the job done. If such training were effective, Phishing scams would be a thing of the past. So much history of this type of threat should allow computer users to be highly aware and alert to this threat vector. And if no longer effective, criminals would stop using it. But it is still an effective entry point for a multitude of threats. In fact, Phishing is so effective, another category has been named Whaling which is Phishing aimed at high-value targets like CEO’s and other C-Suite executives. It is not just entry level accounting clerks that are being targeted, so it is important that training and awareness needs to improve for employees at every level, and it needs to impact their behaviors. University studies show that newer training techniques are needed in the fight against cyber crime. Training that is continuous and with specific feedback better drives the behavior changes required to minimize the risks your business faces. A closing thought – one of the key findings in the iOCTA report states in part that “…investing resources in prevention activities may be more effective than investigation of individual incidents.” What better prevention than training!