You might think your company can prevent a hacker from coming in through your front door – but chances are at least one of your employees is more likely to invite them in for tea.
Despite years of scare tactics most organisations are still sitting ducks and have no idea how to manage a “truly scary” cyber incident, according to one penetration tester who claims his team has never failed to get employees to hand over their passwords.
Indeed, laughs Michael Connory, CEO of security consultancy Security In Depth (SID), the easiest way to get an employee to share their username and password is simply “to send an email and ask them for their username and password”.
Most companies don’t implement any protection beyond usernames and passwords – so once those credentials have been shared, the door is wide open for cybercriminals to access internal email systems, document repositories, confidential documents, and the rest of the network.
We’re making hackers’ jobs too easy
Users’ innate trust in emails, combined with busy working lives that mean they don’t always question unusual requests, have made social-engineering tactics devastatingly effective.
Cybercriminals bury malicious code in seemingly innocuous ‘spearphishing’ emails that copy the branding of Australia Post, AGL, Centrelink or other trusted organisations.
Others may be framed as a request supposedly from the company’s technical support team, asking the user to click a link that leads to a simulated login page requesting that they enter their access details.
Spearphishing is stunningly common – fully 88 per cent of respondents to Proofpoint’s recent State of the Phish report said they had dealt with such attacks in 2019 – and Connory, whose team is regularly hired by companies to test their security defences, claims a 100 per cent success rate in manipulating employees at target organisations.
“We have never, ever not been able to do that,” he says.
The firm has also had great success using USB drops – in which a USB stick loaded with malware is left in an obvious location such as the company carpark, just begging a curious employee to plug it into their computers.
That technique – which 81 per cent of Proofpoint respondents said they encountered last year – proved dangerously effective when the SID team probed one client environment, standing in for a vacationing Chief Information Officer to send malware-laden USBs to his team.
“We said the drives were from him and that they were the only drives employees were allowed to use, for security purposes,” Connory recalls.
“Someone plugged in a drive and it instantaneously downloaded the malware – and we had access to their network within 30 seconds.”
An all-too-common story
Connory’s reports from the field corroborate the findings of the Nuix Black Report, a 2018 survey of professional hackers who were, on average, confident they can penetrate a network, identify and steal critical data in less than 15 hours.
Such claims are a slap in the face for Australian government bodies and businesses that will this year spend around $21b to protect their mission-critical data.
Despite so much cash being splashed on latest-and-greatest security technologies, hackers’ success in deceiving staff has made the expenditure far less effective than many would like.
Indeed, hacking has become unnecessary in many cases: once they finagle passwords from their victims, hackers can take over an executive’s email and engineer complex frauds on staff who believe they are being instructed by their superiors.
Such business email compromise (BEC) techniques have become a major money-spinner for fraudsters who no longer need to contemplate relying on brute-force botnets and surreptitious malware infections.
“People just don’t have the understanding, knowledge, or training to be able to recognise when someone is attacking them these days,” Connory says.
“Things like large multinationals, banks, and health funds have got their act together – but once you take away the top 30 companies away, you’re looking into the abyss.”
Most companies base their cybersecurity on ad-hoc policies, he explains, with poor password management endemic, few companies monitoring their networks for intruders, and preventive technologies like 2-factor authentication (2FA) rarely encountered in the field.
A recent survey of 300 Australian small and medium businesses, conducted by Gartner subsidiary Capterra, highlighted the extent of the problem.
More than 13 per cent of the respondents said they had fallen victim to a phishing email, while over 9 per cent weren’t sure.
Yet only 39 per cent of respondents knew who in their organisation to contact about data security, privacy or compliance issues – and 37 per cent of staff said they had never received any training about how to keep data secure.
That’s not good enough, Connory says, for a business climate in which no less than the World Economic Forum has warned that cybersecurity is one of the biggest threats to world economies, just trailing issues like natural disasters and terrorism.
“It’s going to get worse this year,” he says, “because the government hasn’t really focused on any those effectively – so we don’t have the local expertise and skills to be able to identify and help, and implement programs across the board.”
