While I took the newspaper from the table, surprisingly the front page had no breaking news. Instead, it was occupied by big bold letters and in the center of the page there was an advertisement from the Google Cloud Services.

It read, ‘Go make it we’ll protect it…’

Well I must say this well crafted tagline from a behemoth like Google succinctly summarizes the growing threat of cyber attacks and the importance of safeguarding the organizational networks from the constantly emerging cyber threats. While organizations world over are continuously improving on their safety measures like firewalls, biometrics and other anti threat mechanisms but cyber criminals, hackers and attackers innovatively target the untrained, careless and sometimes indifferent users or employees and are able to successfully penetrate the network.

Let’s look at some grueling numbers to understand, how the human chain can become the weakest link in cyber security.

1.92.4% of malware is delivered via email

OMG!… Is that not shcoking?

Most organisations do a majority of communication both external as well as internal over emails and receive hundreds of emails a day. Emails are one of the best and easiest way for the hackers to gain access to your system. If you had ever felt that your data will never be hacked, it is time to have a self check now.

Some of the common subject lines of mails, which you are likely to be tricked by are:

  • You have won 1 million US Dollars. click here to claim…
  • Your bank account is hacked, please respond via the following link..
  • Your email id has won our daily jackpot . Follow the link to claim
  • Your system is heavily infected. Download our free tool to scan your system

A click on the spam links can run scripts to install malicious codes to steal the data from your system.

What does it mean for the organizations?

Organizations can leverage these numbers to develop a comprehensive infosec awareness program on email security as such high percentage of malware bugs descend through email, that can lead to shaping up of a more risk-aware, and thus risk-averse, employee culture.

2. 91% of cyberattacks begin with a spear phishing email

A highly targeted phishing attack is called as spear phishing. Personalizing attacks using private details about their targets or impersonation are common forms of spear phishing. Overtime spear phishing efforts continue to evolve and grow, making it increasingly difficult to differentiate them from legitimate communications.

Phishing can come in the form of :

  • Phony confirmation emails for e-commerce puchases
  • Job applications,
  • Failed delivery notifications
  • Security updates
  • Legal notices from the income tax department or any other government departments

Each of these can be used to instill a sense of urgency or fear to further increase the target’s probability of biting the bait.

What does it mean for the organizations?

Organizations should identify the potential human vulnerabilities in the organizations like the new joiners, contractual workforce etc, which are likely to be the targets of cyber attacks due to their lack of knowledge and exposure to usage of e-mails. A comprehensive infosec e-learning designed specifically for the channel partners, contractual workforce etc must be put in place.

3.60% of small businesses say attacks are becoming more severe and more sophisticated

‘Let’s not fear about the cyber attacks, we are not a big corporate firm yet and hence there is no requirement of cyber security training or incorporating other safety measures.’I have heard this many a times while talking to small and medium sized enterprises, who perceive that cyber attackers and hackers will  never target them. But this is not true as smaller organizations are more vulnerable due to weaker IT systems and hence easier to penetrate for the cyber attackers.

What does it mean for the  smaller organizations?

Smaller organizations should have a four step process towards cyber security:

  • Install antivirus software on all systems/mobiles etc
  • Take data back ups regularly
  • Have a person or persons designated for incident reporting and the immediate measures to be taken in case of a cyber attack
  • Invest in an infosec e-learning program off the shelf program if not custom developed

4 88% of malicious emails use malware-laden attachments 

‘The email has an attachment, let me see what it is… ‘ .This curiosity exists in many of us and the hackers know how to effectively take advantage of the same.

Hence next time if you are seeing an attachment in your email, beware take a moment to understand that the attachment is a valid one and not a malware. It is always recommended to scan the files before downloading.

What does it mean for the organizations?

Organizations should have an anti threat mechanism which blocks the attachments and prevents them from getting downloaded. A comprehensive infosec e-learning designed specifically on email security-attachments, links, phony emails, impersonated emails, emails demanding urgent attention etc should be made a part of this e-learning .

5.Mobile Malware Continues its Surge: Variants up 54%

With the mobile penetration and usage reaching unprecedented levels, mobile malwares, unpatched devices and gray wares continue to be an easy way for the hackers to target the mobile phones. While gray wares are not malicious but have the potential to leak the personal phone numbers etc.

What does it mean for the organizations?

Most of the modern day organizations promoting BYOD culture should be vigilant and should have a mechanism to scan the devices mobiles, laptops or any other personal devices for any malware threat . A comprehensive infosec e-learning designed specifically towards BYOD security measures and mobile devices security must be put in place.

The global cybercrime damages predicted to cost $6 trillion annually by 2021. This staggering number is perhaps bigger than the economies of several developing countries.   With more and more organisations using the latest technology and facilities like hosting the files on the cloud servers, cloud computing, artificial intelligence etc., the value of information that is available on the internet is really huge and the loss or breach in the information can bring huge loss to the companies.

Human error inadvertent or deliberate continues to be the root cause of most cyber attacks. Hence it is worthwhile for the organizations large or small to have an effective training designed on cyber security , which covers basic awareness level issues for all the employees. Another important area to be included in infosec e-learning is the training of incident reporting and management team.

References
https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion
https://www.insight.com/en_US/buy/partner/symantec/learn/2018-internet-security-threat-report-ac-sym0002.html
https://www.symantec.com/security-center/threat-report
https://blog.barkly.com/2018-cybersecurity-statistics
https://blog.knowbe4.com/bid/252429/91-of-cyberattacks-begin-with-spear-phishing-email
https://www.verizonenterprise.com/verizon-insights-lab/dbir/