Understanding the Human Factor to Cyber Security
Earlier this week, our friends at Proofpoint released their 2017 Human Factor Report, which shines a light on the role individuals play in protecting organizations against cyber security threats. The trends highlighted in the report reinforce a number of ongoing trends we’ve written about before, notably the growing threat of phishing scams and business email compromise. Let’s review some of the key findings.
Hackers are consistently impersonating your CEO.
According to Proofpoint, business email compromise attacks increased 45% in Q4 2016 (compared to Q3). These types of attacks consistently involve hackers posing as firm CEOs and requesting wire transfers and sensitive material disclosures from CFOs and other internal contacts. Compromises of this nature can be extremely damaging – and avoiding them requires diligence on the part of individuals to execute checks and balances internally to review and approve any material handoffs or financial transactions.
Email isn’t the only way hackers are phishing users.
Email may be the most popular way to target individuals with phishing scams, but SMS/text scams are widely growing in popularity. Oftentimes, individuals are more keen to open messages or click on hyperlinks from their mobile devices, giving weight to these “smishing” scams. Additionally, social media phishing continues to grow. Sometimes known as “angler phishing”, in these cases, hackers pose at company support accounts and take advantage when users request support or customer service from various organizations. This is an easy way to goad users into sharing their credentials or clicking on malicious links/attachments – and Proofpoint reports an increase in occurrences by 150% in 2016!
Speaking of malicious links, Proofpoint’s report indicates 42% of user clicks of malicious URLs were from mobile devices.
Clicking isn’t the only misstep.
While there is a sharp increase in malicious clicks from mobile devices, certainly due to the nature of how vastly and frequently users rely on their phones, there do remain users taking malicious actions from their Windows PCs. An interesting tidbit from The Human Factor Report: nearly 20 percent of the clicks from Windows PCs came from computers operating legacy systems no longer supported by regular security patches (e.g. Windows XP, Windows Vista, Windows 2000). This number sticks out particularly in light of the recent WannaCry ransomware, which while not triggered by a malicious click, was notably more challenging for firms running legacy Windows software. Again, this highlights the dangers lurking behind outdated technology systems and software.
Proofpoint’s The Human Factor Report reminds us that today’s hackers are directing their efforts beyond technology and targeting individuals to take advantage of their naiveté, laziness and lack of cyber awareness and education. Investment organizations should urge their employees to stay current on cyber risks and human attack threats by reading findings such as Proofpoint’s. Firms can download Proofpoint’s complete 2017 Human Factor Report here.