The Ignorant Human: Data’s Biggest Threat

For all the money spent on expensive software solutions and expert consultation, an organization is still at a tremendous risk if it is not developing a culture of security as part of its normal business practices. Many organizations have 24/7 teams dedicated to monitoring and incident response, but what about any organization's weakest link? The best technology in the world is no match for the most simple and obvious threat to any organization: the people. The Anti-Phishing Working Group's (APWG) Phishing Activity Trends Report findings indicated there were over 1.2 million known phishing attacks in 2016, a 65% increase from 2015. APWG's 2018 Q1 report included the following highlights:

• The online payment sector was targeted by phishing more than any other industry sector
• Phishers continued to fool Internet users into complacency by using HTTPS protection on phishing sites
• By Q2 of 2018, more than a third of phishing attacks were hosted on websites that had HTTPS with valid certificates
• Phishers were generally using domain names in the largest top-level domains and at the largest registrars

Phishing emails are designed to gain attention and typically contain a call to action. Employing both social engineering and technical subterfuge, phishing attacks allow criminals to steal consumers' personal identity data and financial account credentials, among other sensitive information. Financial information proves to be a significant target for phishers, but still accounts for roughly half of the attacks on the Internet. According to the FBI, phishing scams cost businesses over $5 billion from 2013 to 2016.

What to look for:

• Any request via email to move to a separate site and input credentials. FULL STOP. Phishers will use well known logos and spoofed email addresses to appear as legitimate as possible. Any request for credentials should be a cause for alarm.
• Emails coming in the form of a help desk support ticket or a message from your bank.
• Calls to action: any email requiring time-sensitive input of credentials should be cause for scrutiny.

What can be done:

• Increase employee security awareness: This includes not simply training your employees, but submitting them to regular assessments to gauge attention to detail and susceptibility to attack. October is National Cyber Security Awareness month. This is a problem. Educating your people should not be a checkbox once a year. It needs to be consistent.
• No fear reporting: Users should also be trained to let their security team know when they do make mistakes. Fear of punishment, rather than embracing the opportunity for education, does not assist an organization in identifying a compromise from a user.
• Utilize a password manager: A strong password management solution uses auto-login and auto-fill technology to analyze a webpage before filling in a user's sensitive information. Criminals using spoofed domains will not succeed when a password manager is there to recognize the URL, preventing auto-login. A password management system also discourages the use of duplicated passwords, thus limiting the attack surface for a criminal.
• Multi-Factor Authentication: MFA is a security system that requires more than one method of authentication from independent categories of credentials to verify a user's identity for a login or other sort of transaction. Enabling MFA on online payment applications and any application containing possibly sensitive information is another layer of security that prevents attackers from using credentials to directly access an application.