Targeted spear phishing has been widely reported to be the most effective method of breaching an organisation’s information security defences. In 2013, Trend Micro reported that over 90% of successful data breaches started with a targeted phishing attack. Despite huge investments in security technology, RSA, Google and Microsoft are all high-tech, high-profile examples of companies falling victims to this form of attack. Hundreds of thousands of SMEs have been hurt and their business impacted by Ransomware attacks such as Cryptolocker launched through a spear phishing email.
What most organisations security technology investments are missing is proper acknowledgement of the role of the human element in information security. Phishing is social engineering, using personalisation, motivation and incentives to persuade its targets into performing the desired action of clicking on a link in an email, downloading and opening an attachment or entering login credentials on a bogus website. Once this happens, the attacker has penetrated the network and has a foothold from which to launch his specific attack.
The attack on Target Corporation which exposed credit card and personal data on more than 110 million people was initiated through a malware-laced email phishing attack to a supplier. It is widely acknowledged that people are an organisation’s weakest link. Targeted phishing campaigns are unmistakably exploiting this fact successfully and will continue to do so until users understand the threat, recognise the level of potential damage their ill-advised actions can cause and are educated to become an effective counter measure.
According to Symantec’s latest Internet Security Threat Report (ISTR), the number of targeted campaigns increased 91 percent in 2013. It identified that 1 in 2.3 companies of more than 2,500 employees was subject to an attack. To take advantage of the human element, attackers are more patient now than ever, seeking to slowly infiltrate systems then lying in wait to attack. In 2013, the average attack lasted eight days compared to three days in 2012 and four days in 2011. These prolonged attacks indicate that hackers are becoming more focused and persistent over longer periods of time in order to better hide their activity. Symantec’s research identified a ratio of phishing emails to legitimate emails as 1 in 392.
The danger posed by phishing is a mix of simplicity and significant potential impact. It’s easy for unskilled attackers to conduct phishing attacks, and this makes phishing the vector of choice for the vast majority of cyber criminals. Phishing attacks have moved on from mass spam attacks to specifically targeted ones, and with social media providers such as LinkedIn, Facebook and Twitter, identifying targets has never been easier.
Evidence suggests that despite Security Awareness Training, standard IT users continue to fall for targeted phishing emails. Why is this? Presumably very few organisations are measuring the effectiveness of that training in relation to information security. Users, therefore, don’t only need to be “aware”, they need to change their behaviour.