All reports indicate that phishing attacks have seen a tremendous rise. Ransomware is, quite visibly, making all kinds of headlines. Experts believe there are possibly more zero-day exploits dormant all over the place than we could ever account for, and who knows how many companies out there have suffered a data breach but are yet to report it. Somehow, even though all of the above is widespread knowledge, it seems that cybersecurity threats are only growing stronger. There’s been a pronounced rise in cyber crime, and it seems experts agree that it’s getting worse. Several important factors are causing this, and only make it more likely that the impact of these threats will be felt in the short term and beyond.
Scammers are now forced to get more creative, particularly in focussing on all forms of social engineering. They are getting stronger data, producing stronger copy, using more sophisticated methods of bypassing filters and signature-based scans (not ours, however), and using all form of psychological cues to reel in a victim (pun intended).
The Lack of Awareness
There is the lack of awareness in those who are at the receiving end of the scams. Way too many email users will open a phishing email (and even a second time without learning a lesson). And it’s fair to assume if you were to subtract all those who’ve received proper awareness training (or at least read this post…or another), that number would be much higher. Human error in cybersecurity is still a leading cause of many if not most data breaches.
Training New Internet Users
This is compounded by the fact that in the past decade the number of internet users has doubled, and up nearly 60% over the last five. Yet, still just over half of the world’s population is online. This means that, in the hundreds of millions, people are coming online every year for the first time.
There is no test for someone coming online for the first time on how to spot an internet scam. To put it bluntly, the rate at which internet users are being cyber educated is being far outpaced by the number of new internet users. Simultaneously, there’s an incentive for an increasing number of new threat actors to simply jump online and start trying to pull off quick scams. With user growth the payout for criminals increases, making cyber crime the fastest growing crime in the USA.
Then there’s the complexity of attacks. Attacks are becoming multi-pronged with objectives ranging from corporate espionage to cyber warfare, selling data to basic ransomware and so much more. The methods could be highly targeted to spreading a vast net. They could include gaining access to an email account to leveraging a zero-day exploit, spyware via a malicious attachment to a Smish (SMS phish). All this makes for a complex landscape that can require a forensic specialist to determine how, where and when the breach or attack first occurred.
A whole slew of other factors are compounding the prevalence of attacks. It’s low cost to the hacker with high potential payoff. People are using non-secure public wifi. BYOD and the move to the cloud gives a new level of access once firewalled networks. IOT devices are a ticking time bomb.
Ultimately, besides medium to big businesses which may provide basic awareness and training, very little effort is placed into educating the general population. Does your average organization provide an awareness and training program (at least 35% don’t)? Let alone how to spot a phishing email? Or having MFA? Or even knows what makes a strong password?
University students, retirees, SMB workers, non-tech workers, and even large corporations before an attack, are at a serious risk without proper awareness training. Cyber security awareness month is one thing, but a lot more needs to be done.
Further reading on some Cyber Crime Stats and Trends:
A 2017 Cyber Crime report by the Herjavec Group
A list of 100+ stats compiled by Comparitech on cyber crime.
The US-CERT’s short guide on avoiding Phishing and Social Engineering attacks.