As industries begin to grasp the true extent of cyber risks, businesses are increasingly turning their focus towards beefing up their cybersecurity capabilities. However, technological solutions have their limits, and many experts say that humans are the weakest point in cybersecurity, with social engineering and human error as major causes of breaches.
Theo Zafirakos (pictured above), chief information security officer at Terranova Security, spoke with Corporate Risk and Insurance about the threat of phishing, which is one of the most popular vectors of cyber attacks.
Phishing is a type of social engineering attack where the perpetrators pretend to be a legitimate entity, such as a reputable business or someone the victim personally knows, to convince the victim to click on a link and enter information on a fraudulent website. This will allow attackers to steal money, personal information or gain access to a target network. It is a corruption of the word “fishing”, as attackers are “fishing” for information by trying to get victims to take the “bait.”
“Regardless of its size, organizations continue to face cyber threats that can potentially cost millions of dollars,” Zafirakos said. “In 2021, 39% of Canadian businesses were victims of a ransomware attack the prior year. In addition, 65% anticipated being subject to a ransomware attack in the future.”
According to Zafirakos, the complexity and sophistication of cyber attacks continues to grow, so businesses realize the need to properly invest in cybersecurity on all fronts, including security awareness training.
With over 3 billion fraudulent emails sent daily, Zafirakos said each employee is at risk of being the target of a scam and leaving sensitive information vulnerable in the process.
“According to our 2021 Global Phishing Benchmark Report, nearly one in five employees will click on a phishing link when presented with one during a phishing simulation,” he said. “These results showcase the urgent need for security awareness education initiatives and the importance of changing end user behaviors through cybersecurity best practices.”
It’s not only young or inexperienced employees that are at risk of clicking a phishing email. Even veterans and C-suite officers can be tricked by cyber criminals using phishing scams.
“Many people, especially C-suite employees, often do not have the time to look closely at the email address to recognize fraud,” Zafirakos said. “Cyber criminals take advantage of this to spoof and compromise email accounts. These and other tactics are referred to as social engineering.
Some other social engineering tactics are phishing, spear phishing, trap phishing, and smishing (SMS phishing). AI and machine learning are also becoming increasingly popular. Cyber criminals can use AI to evade detections and can also be used to identify vulnerable connections that can be an easy target.”
Ramping up protection against phishing attacks
According to Zafirakos, managing cyber risk across businesses and enterprises has become more challenging due to the rise of remote and hybrid workforces.
“Risk managers and their organizations are now exposed to more complex threats, making cyber attacks much harder to detect,” he said. “As a result, educating all employees on security awareness fundamentals is crucial to spotting and reporting incoming cyber threats.
“Cyber security training should be at the top of any organization’s priority list. It is the first line of defense, and adequately preparing employees to recognize and combat potential threats can help any business from falling victim. There is no one-size-fits-all approach, as every organization has different vulnerabilities. Still, the secret of any good security awareness training program is teaching your employees how to mitigate the threats they are most likely to encounter in the workplace.”
Due to cyber crime being very profitable for nefarious actors, Zafirakos said that it will only continue to grow. Phishing attacks will continue and use every possible digital vector, including email, phone, text message, social networks and other public cloud services.
“With an estimated 15% growth per year and the cost of cyber crime potentially reaching upwards of US$10.5 trillion by 2025, the next few years will be vital to how organizations prioritize cybersecurity,” he said. “As organizations continue to enable a remote workforce and cloud adoption, cyber criminals will adjust their social engineering and phishing tactics accordingly. They will imitate popular and frequently used brands and service providers to deliver attacks that may be more difficult to detect.”