By now everyone recognizes that cyber-attacks are happening regularly and to everyone from home users to massive multi-national organizations. The topic has been discussed ad nauseum, and the Internet is full of helpful articles about what to do. However every week we see breaking stories where organizations are being compromised and a data breach has occurred. Recently we saw how cyber criminals brought down fitness giant Garmin for 4 days with a Ransomware attack. This not only impacted athletes who couldn’t record their runs and workouts but more importantly, the attack had a major impact on the airline and maritime industry where Garmin App’s are used to perform critical functions. Coming closer to home, we have just seen the Experian breach, where the personal data of 24-million consumers and nearly 800,000 businesses landed in the wrong hands.
We have also started to see new methods such as “synthetic media” which is the artificial production, manipulation, or modification of media, like audio or video, for the purposes of misleading someone. Witness a case last year in Europe, where a fraudster made a call using AI voice technology and impersonated a group CEO’s voice with the same mannerisms and tone. This fooled a branch CEO who made a payment in excess of R 4 Million to a fraudulent bank account. This has serious ramifications for organisations as these ‘deep fakes’ could be used maliciously for many fraudulent activities like entrapment, defamation, extortion, and market manipulation. Some cyber security companies and industry players are already looking at ways to authenticate videos, photos and text on the internet to ensure authenticity.
Why are these cyber-attacks continuing to happen even though there are large amounts of literature covering this topic? The simple (and unexciting) answer is education! In most of the major incidents lately, the actual event which starts the compromise is human-related and often couldn’t have been stopped by hardware, software or robust IT policies! Put simply: the more educated and trained employees are, the less chance there is of a successful breach like the Experian Breach.
It’s tempting and sometimes easier to just buy some products which claim to protect you. The firewall market, in particular, is full of exciting phrases like “sandbox detonation” or “deep packet inspection”. And anti-virus companies are racing to include as much machine learning and AI into their products. These products are still essential, however, don’t let them lull you into a false sense of security. A user in your network, with high permission levels, can still bring your business to its knees by clicking a link or opening an attachment. Likewise, someone in a finance department can cause untold damage by changing the bank details of one of your suppliers or loading a once-off payment after receiving an email from ‘the FD’. Arguably phishing, ransomware, malware and social engineering are becoming more common attack methods for cyber criminals and they don’t require huge technical know-how. They all just rely on fooling humans. In the case of the Experian breach, if their explanation is true, the data got into the wrong hands entirely through social engineering and this shows that the organization was not adequately equipped to manage the threat. There is little doubt Experian had the traditional cyber-security tools in place and presumably they were up-to-date and monitored. In this case, the IT team wouldn’t have noticed a thing.
Educating users, and keeping them educated, is probably the single most effective way of preventing a data breach disaster. It’s also the cheapest! So while you still need your sandbox-detonating, machine-learning, next-generation firewall you must never forget the actual targets of modern hackers: people.