When it comes to cyber-security, it pays to heed the human factor
31 May 2017
Remember the scam emails going around in the early noughties presumably from a Nigerian prince in exile? The gist of it was that they had a trillion dollars squirrelled away, and they needed help taking it out of the country. It also involved getting you to send them some money. A lot of people fell for the scam – this was before Googlemail was a thing, back in the era when every email was treasured and read twice.
Over time the crooks grew smarter and their crookery got more sophisticated. But irrespective of how nuanced and complicated the process got, it always boiled down to that one thing. Sending out an email to extort money.
But the saddest aspect is that phishing scams like this are still the most successful way of making money for cyber-criminals. Do you know how much money the scam artists behind the WannaCry ransomware made? The one that crippled NHS systems, affected 73 countries and disrupted major utility companies in Europe? A measly $72,000. Compare this with the fact that one in every 14 phishing emails is successful. Then do the maths on how many of these emails are being sent out every day and every hour to extort and to terrorise.
The problem begins and ends with humans. The official statistic for how many cyber-attacks are a result of employee carelessness or laziness varies between 72 per cent and 90 per cent. Even though the figure varies, it is still eye-wateringly high. As a CISO said to me the other day, “There is no kill switch for breaches resulting from human error.”
So the question now is: can the superior advances in technology not help solve the problem? How about machine-to-machine,
artificial intelligence and machine learning? It turns out that such things can only complement the work of us humans, and the love-fest around AI is apparently a case of emperor’s new clothes.
Said Simon Crosby, CTO at Bromium: “The maths around machine learning was done years ago by Alan Turing. The attackers have changed their ways. Data is already encrypted. Identifying if something is right or not or a change in tactic has led to WannaCry, which is potentially catastrophic. Turing’s legacy is being writ large with WannaCry.”
Then there is newer research saying that IT employees are not concerned by the possibility of a breach. What could possibly lead to this lack of empathy and loyalty? Does the lack of caring show a deeper disconnect between businesses and their employees?
Cyber.uk’s Dr Jessica Barker thinks there is more to it: “There are a lot of cultural factors around cyber-security. Often IT workers can be made to work hard and long hours. They may feel like they are not appreciated. And being seen as geeks in basements can frequently lead to a rise in resentment.
“The worst kind of cyber-attacks use psychological drivers too. Spear-phishing is all about making an attack deeply personal. They try to evoke curiosity.”
So if there was an email from someone I know asking me to click on a link to check out photos of an event I have been to, I am pretty sure I would fall for the bait.
Wouldn’t you, too?