You work as a journalist for a news and media organisation that has seen a massive decline in readers, subscribers and consequently, a direct and negative impact on its profit margin. The competitors are not sitting idle and have been producing major, in-depth, subscriber-catching stories like the recent cyber-attack on a shipping giant.
Your senior-editor, your boss has two objectives. Increase the number of paid subscribers and improve profits. Cybersecurity, cyber-attacks and hackers are clearly buzzwords and cyber-attacks pose a significant threat to every business and the boss wants to imitate the success of competitors by focusing on everything cyber.
The boss orders you in and says:
“I need a juicy, headline-grabbing, revenue-increasing series of articles about cyber criminals. How they think, and how they attack companies. Go. Wait! I want to know why these attackers are succeeding despite the billions being spent on technology and awareness. Hurry.”
“Wait” the boss shouts again!
“I want to scare the living daylights out of the readers. Make sure your work is a page-turner! Now go!”
The Juicy Bits in Cybersecurity:
You start reaching out to your contacts asking them to arrange meetings with existing cyber-criminals and miscreants. In addition, you also start contacting the defenders; professionals and practitioners who spend their lives defending against, chasing and in some cases then apprehending the wrongdoers.
Finding and then interviewing bonafide cyber-criminals is not an easy task but you have managed to speak to a few. In addition, you have had several useful discussions with practitioners who are at the coal-face of cyber-war. You have even seen some very insightful and cool demos of how hackers launch and succeed in cyber-attacks.
Remember, you have been tasked by the boss to present an attention grabbing headline and meaty story. You are in charge of kickstarting the fortunes of your employer. No pressure.
Yes there are the sensational proof-of-concept attacks that involve baby monitors, sex-toys and cars. However, based on your interviews and research you have reached the following conclusions:
- The humble ubiquitous email remains the most effective method of launching an attack.
- Most attacks are only successful because the attackers use their creativity during their planning stage.
- Many attacks reported as sophisticated and or advanced turn out to be simple incidents that are only successful as a result of the failure of existing controls like password management.
- The sophisticated element of an attack often lies in the link or attachment like malicious file, after the email is opened and the file clicked.
- Most Companies fall victim as they are unable to build solid foundations in cybersecurity and cyber resilience.
Finally, the human element remains a significant reason why attackers are able to breach a company’s defences. Cyber criminals keep using creative ways to trick us humans.
Ignore Email at your own peril.
In your discussions with cyber criminals who have succeeded in launching large scale attacks, the one outstanding theme was the use of email. Cybersecurity practitioners and experts agree.
Really! Email? - You, like many others, are finding it difficult to digest the fact that the unassuming, ubiquituous and boring email has such a key role in the early stages of an attack. You keep asking yourself.
- Why is email so important?
- Surely Technology can help, right?
Let’s tackle the first question.
Why is Email Still so Crucial?
In a large majority of all attack scenarios that you were shown, email was the preferred choice of tool for launching the attack. Some of email’s supporting role in scenarios include:
- Business Email Compromise (BEC): Fraud via email to steal money. The most effective method to convince a supplier or customer to deposit money into another account, by using established business communications, email.
- Creative Phishing: Using age-old techniques of urgency and sending it out to thousands and thousands people hoping a few fall for it.
Think of “Your debit card has been frozen”.
- Bypassing technology controls: Using simple forms from Microsoft’s Office or Google’S G-Suite to first evade and bypass security-technologies and then fooling even the most eagle-eyed veterans.
Employing Technology to Win the War
Ok, maybe not win a war, but the right type of technology, configured and managed, can certainly help an organisation in managing the ongoing threats posed by email.
Even the criminals indicated that they disliked companies that bothered to use good technology! What they hated more was the company that took time to configure, tune and optimise the systems to ensure maximum protection and value.
Many practitioners stressed on the need to employ a holistic email security and resilient solution. “Don’t just think you have an Anti-virus technology or SPAM protection technology. Ask for more.” one of them said.
A summary of what to look for in a good Email Security Solution:
- Do they have the scale? Is your technology provider capable of handling, securing, assessing, archiving, encrypting and more, large volumes of email?
- What Visibility and Leverage do they have? Is the vendor able to “see” a threat or virus originating in one part of the world and use that intelligence to offer you timely alerting and protection?
- Speak to the CTO and other senior and technical experts of the company. Are they passionate about the solution? Are they knowledgeable?
- Ask about email resiliency, email encryption and archiving.
- Importantly, ask about how operationally friendly the system is after it’s implemented. Can the operations teams manage, learn and operate it with little effort?
Time to Face the Boss!
Remember the assignment? You have decided to present the below three titles to keep the boss happy.
- Most cyber attacks are NOT complex and NOT sophisticated
- Warning: Most Criminals are NOT sophisticated or Super Smart
- Organisations are mostly falling victim to DUMB rather than Smart Cyber Criminals
The boss calls you in for an urgent meeting. You walk in to see the editor’s face - it’s plastered with an array of emotions. Anger, confusion and disapproval. Without a doubt, the boss is unhappy with your choice of titles. They are being seen as unattractive, boring and are unlikely to attract many clicks. No clicks will affect ad-revenue. No ads, no money. No money, no job.
You have a word with him and say the following. “I have spoken to a dozen cyber-criminals, read many detailed literature and spoken to several experts. The concensus is clear. Email is one of the most important mediums for attackers. Yes the human is a weakness, but companies need to ensure that they are using the best technology solution that is easy to operate and manage.
Finally, yes many attacks are uber-sophisticated, but the fact of the matter is the initial stages of an attack, very often, rely on the failure of foundational controls.”