You can’t go a week without seeing a story about a data breach or ransomware hitting organizations. These breaches can be very costly, but they still continue to show up. Are the good guys not winning the cybersecurity war? Organizations invest millions of dollars in security products and services, but they keep getting breached. We definitely have a skills gap problem making it almost impossible to hire enough qualified people to staff a good security program. We see a large migration towards SaaS (Security as a Service) offerings because organizations cannot successfully use the products they purchased and get the needed value from them, so this is helping in that regard, but they are still being breached. When you look into many of these breaches, the root cause boils down to an employee or contractor who clicked a link where malicious code was downloaded and executed on the system. This can happen via email, messaging or other delivery mechanisms where the attacker knows enough to entice the target to click the link. Employee security training is a huge business, but a lot of employees disregard it or it is so basic that it is almost useless. Most (but not all) of us know the Nigerian prince is not going to send us millions of dollars to help get it out of the country. That is a typical shotgun approach to phishing where the cost is very low and just a fraction of a percentage success rate makes it worthwhile. The newer attacks, like spear phishing, are much better at quickly harvesting information about you, and people like you to develop a more enticing link for you to click. Way too often, I hear people talk about these attacks and say “It does not affect me. I am not important enough for anyone to target me.” But this is completely wrong. It is easy to find out a lot of information about a person using social media, public records searches and just looking at the forums or subreddits they participate in every week. Attackers are not just looking for information on your company executives anymore; they are looking for any crack in which to sneak into the organization, and they can branch out from there. Armed with this information, the attackers are much better prepared to tailor emails for groups of people or even target specific people. Examples of how harvested information can and has been used:
- Public social media posts about going on vacation can result in fake emails from hotels, restaurants and attractions at that location.
- Companies list partners or top customers on their websites. This allows attackers to target your organization posing as someone from the other company.
- Reddit subreddit participation or forum shows areas of interest that can be used to craft attacks.
- Listed as a member in professional organizations allows attackers to target the members with content related to the organization or job function.
Recently, there was a rash of emails targeting procurement departments at various companies. Many of the recipients thought they were not targets for spear phishing, but the attacks succeeded in several cases since they were tailored to this specific job function. Training employees and contractors to be skeptical about these types of communications both at work and at home is crucial. The days of phishing emails with outlandish claims and typos are mostly over; today's attacks are much more targeted. Read more about spear phishing and other common phishing attacks.
