Cyber crime is rampant, increasing in frequency, voracity and taking longer to resolve, and at far greater costs than ever before.
Organisations are operating in an era of unprecedented volatility combined with the rapid pace of changes in technology. This convergence has created a challenging new cyber reality for organisations regardless of size, industry or location.
Cyber risk is rated at #5 in the top 10 risks facing business according to Aon’s 2017 Global Risk Management Survey, and has thrown the human factor in cyber risk into sharp focus. A PWC report released in 2016 placed current employees as the top insider cyber risk to businesses.
The Aon ERM Centre of Excellence teamed up with Rudi Dicks to demonstrate how employees are the biggest cyber security threat.
Rudi is a hacker – with permission of course – and according to Rudi, the easiest way to hack into a network is by exploiting the one vulnerability most often left unpatched – human nature.
Why bother fighting through all the security management systems deployed by a competent IT department, when instead a hacker can get an employee to click on something they shouldn’t and gain full access to the infrastructure, bypassing all the costly and very best security measures? It’s much easier than people think.
Method 1: Using the LinkedIn platform, a hacker will search for employees of a target company with more than 500 professional connections. They then pick one of these employees - let’s say Joan, in HR - as the target of their attack. The hacker sends Joan a fake e-mail notification from a high level executive, the head of HR for a big bank for example, wanting to connect with her. Joan, who has already received many such requests, won’t think twice about clicking on the link. At this point, unless the IT department is up to date on every single patch (including Joan’s favorite browser, something that usually must be done manually on each machine), the hackers have gained access to her machine. They have bypassed the firewall and anti-virus and can read or copy any information Joan has access to, including her cloud storage, mail and documents. They can even turn on her webcam to see whether she is at her desk or record her keystrokes.
Hackers exploit human nature. They know that people are generally helpful and curious and hackers don’t hesitate to use this to their advantage. Joan is not a bad person, and it’s nothing personal, but more often than not, she is their key to the “good stuff”.
Method 2: A hacker walks up to reception wearing a suit and a tie and pretends to be flustered. “I’m here for an interview and I’ve just spilled coffee on my CV. I have to make a good first impression! Please could you help me print a copy of my cyber attacks from my memory stick?”
Presto – in goes the memory stick and she runs the program that looks like a PDF file (but it isn’t). She is understanding and sympathetic when the file doesn’t open, and eventually, in exasperation the hacker tells her he’s going to run back to the car to look for another copy. Job done! He now has access to her machine and can use this to gain access to other computers on the network because who wouldn’t open an email from their friendly receptionist?
Method 3: Hackers leave USB memory sticks lying around their target’s offices or parking lot if the building is access controlled. The stick is clearly marked as ‘confidential’ or even ‘payroll’ – who can resist? If employees haven’t been taught better, someone will plug that stick into their computer and run the hacker’s file, giving him full access. All he has to do is play to human nature.
How does the IT department stop people from being caught by these attacks?
Part of the problem is in the question. Technical people try to solve people problems with technical solutions. IT departments get into a cat and mouse game with attackers by installing new tools to prevent cyber attacks, while hackers simply write new exploits and code that circumvent those tools.
A far better approach is education. Cyber awareness training shows employees how they can be exploited and what to do to prevent it, drawing on real case studies. Effective, ongoing education is key to employees being the greatest asset in the fight against cyber crime.
Michael Ferendinos is the Enterprise Risk Business Unit Head at Aon South Africa and Rudi Dicks is the Senior Cyber Consultant at BDO Forensics and Cyber Lab.