Did you take your cybersecurity vaccine?
W
hat if I told you that your bank got hacked today? Chances are that you will rush there the next day to do a panic withdrawal. Well, the banks are well aware of this fact, that is why they don’t tell you when they get hacked. Cyber attacks are on the rise and banks are the ultimate priority for the perpetrators, since that is where the money is.
The Dilemma
The banks are invariably faced with the dilemma of dealing with the direct financial damage caused by cybercrime actors, against the indirect exponential reduction of transactions due to loss of confidence by current and potential customers.
The Federal Bureau of Investigation (FBI) outlines three primary motivations of cyber threat actors. The “organised crime” group are usually motivated by financial gain, and the “state sponsors” deal with the use of cyber attacks to fulfil some political or international relations agenda. The third group of actors are people who are motivated by ideologies. This provides three categories for the motivation for cybercrime, namely; economics, politics and ideology [1].
Ghana as a country is not immunised against cyberattacks. The image below was taken on 10th June, 2022 at 21:31 GMT. At the time, Ghana was the 88th most attacked country in the world. This figure can only get worse.
Mutation of cyber attackers
Cyber attackers have mutated as the technical defences against them have improved significantly. Attackers have adapted by focusing on the weakest link: people. Sadly, too many companies are oblivious to the urgency of the situation, thereby making it easy for the attackers to succeed. People have always been the weakest link in the cybersecurity chain. And almost all cyber attackers leverage this to their end game.
Admittedly, many companies, particularly the banks, are improving in their fight against cyber attacks, yet the “crafty” attackers still use the companies’ employees as the weakest links to access the companies. The irony is that, you can secure a stronger lock for your door, but if you are still leaving the key under your doormat, you are really not making any headway.
Cyber attack surge
The current surge of cyber-related attacks is not because people are not cognisant of the deadly weapons the perpetrators use. For instance, many people have heard of, and probably experienced, phishing—emails or messages asking them to take some action. For instance “Your email account was compromised. In order to secure your account, click on the link below to change your password”.
Even though these methods seem rudimentary, they still achieve a 1% to 3% success rate [2]. The image on the left is a typical example of phishing. This is one of the most frequently used social engineering tactics employed by cyber attackers to lure people into their web.
Currently, most attackers are migrating from the generic phishing methods to a more personalised approach. A typical example is an email apparently sent from a CEO to the CFO, that begins by mentioning things they discussed at lunch last week and then requests that money be transferred immediately for a high-priority project. He may even conclude with a more intimate conversation. For instance. “There is no time to explain this transfer, when we meet in the office for the strategic meeting, I’ll explain everything.” The CFO in this case may issue the transfer because nothing shows that it isn’t the CEO talking. These attacks are increasingly popular because they have a high success rate.
Until recently, many organisations were approaching cybersecurity as a second thought. In fact, some still do. Many companies don’t mind hiring reputable security companies to safeguard their assets but make no conscious efforts to improve on their cybersecurity. The reality is that, cyber attacks only happen when cybersecurity fails.
The way forward
Battling cyberattacks is not a matter of distributing fliers about cybersecurity, sending people to a one-time training class, or asking employees to view a 30-minute video. These have proven to be worthless since people do them but don’t retain enough information so as to change their attitudes. Many companies are of the view that the moment they hire a chief information security officer (CISO), their cybersecurity problems will be curbed. That is not always the case; fighting cyberattacks is not just the work of a CISO. It must be a collective effort.
Phishing test
Companies must frequently run phishing tests for their employees, whereby potentially dangerous emails are sent to employees to see who will fall for them, with feedback to the careless employees, and reminders that suspicious emails or events should be reported. The employees who will respond positively to the test may be rewarded, while those who will consistently fail the test may be cautioned or even fired. By regularly implementing a phishing test for your organisation you will raise your employees’ cyber security awareness and enable them to spot these key telltale signs on phishing emails.
Conclusion
Just as vaccines are necessary for humans to help fight and prevent diseases that could result in death, companies should wake up to the importance of cybersecurity. Cyber attackers won’t stop their attempts but by ensuring technological security and especially by tightening human loopholes, managers and employers can ensure that their companies don’t meet an untimely collapse at the hands of such scheming perpetrators.
References
[1] Emilio Smith Troy, “A Conceptual Review And Exploratory Evaluation of The Motivations for Cybercrime”
[2] Madnick Stuart, “How Companies Can Create a Cybersafe Culture at Work”, MIT Management Sloan School.
Mary
Vivid and concise