Call it the Cassandra Syndrome. Information security professionals can warn and warn again about the danger of opening unexpected email attachments, but employees continue to do so – and suffer the consequences.
That’s the unmistakable conclusion of the latest Verizon Data Breach Investigation Report (DBIR), which found that 66% of malware linked to data breaches or other incidents (i.e. ransomware) was installed via malicious email attachments. That’s significant, because more than half (51%) of breaches involved the installation and use of malicious software. In other words: if you cut down on the success of sending malicious email attachments, you’ll likely reduce the number of malware installations. Cut down on malware installations and you may go a long way to reducing data breaches.
It’s as easy as that. Except that it isn’t. Social engineering of employees via so-called ‘phishing attacks’ is incredibly common, and quite effective. Analysis of Verizon’s security awareness training data found that, on average, 7.3% of users were successfully phished, whether via a link or an opened email attachment. But that rate varied greatly from industry sector to industry sector. Within manufacturing, for example, the successful phishing rate was more than 13%. In retail and healthcare, two frequently targeted sectors, it was over 10%. That may not sound like much, but in a company with 1,000 employees, that means 100 or more are opening suspicious or malicious attachments. And, as we know, it only takes one successful attack to open the doors to sensitive networks and data.
Part of the reason these attacks are so successful is that attackers are getting smarter about who to send them to. Writing about the scourge of ransomware infections, for example, Verizon noted in its recent report that ransomware scammers had shifted tactics in 2016, relying more heavily on targeted phishing attacks and email-based attachments than indiscriminate attacks and drive-by download links to implant ransomware on target organizations than in past years. The coincidence of phishing and ransomware attacks more than doubled from 8% of incidents to 21% in 2016, with ransomware criminals targeting employees in departments like HR and accounting, who are more likely to receive (and open) email attachments as part of their job.
Phishing attacks and malicious email attachments were the driving force behind the majority of corporate espionage attacks that plant data harvesting software on sensitive networks. There, malicious email attachments install command and control software, allowing the attackers (more than 90% state affiliated groups, Verizon says) to control that device and begin moving laterally within a compromised network. Fully 66% of cyber espionage attacks (181 of 271) studied by Verizon involved phishing attacks of one sort or another. Almost all involved the use of malware, Verizon said.
The data from the latest DBIR is bound to be both sobering and familiar sounding for organizations, which have heard similar warnings and reports in past years. The truth is that fixing the “layer 8” (that is: employee) problem is nearly impossible – especially at scale. Humans are, after all, humans. Even the most comprehensive security awareness training can’t tamp down curiosity or boredom. And, again, the odds work in favor of the attackers: just a single successful phish out of thousands or tens of thousands of attempts is enough to give them a toehold on a sensitive system or corporate network.
And that ignores the fact that many employees are not without their flaws and human imperfections – that awareness training may, in a few cases, fall on deaf ears. Indeed, a report out this week from Dtex Systems found that 95 percent of enterprises reported that they had employees who were “actively circumventing corporate security protocols.” Their motivations? Sex and money. Fifty nine percent of surveyed firms reported that they had employees accessing pornographic websites during the work day, while 43 percent said they had users accessing online gambling sites from work, SC Magazine reported.
What’s the solution? Education of workers can certainly reduce the likelihood of incidents. But, as the DBIR suggests, it is a blunt and imperfect instrument. Rather than trying to squelch the spirit of your workers in some kind of corporate take on The Handmaiden’s Tale, companies need to do a much better job of detecting cyber incidents early and responding to them swiftly, reducing the “window” of opportunity that attackers have to explore your environment, locate sensitive information and abscond with it. In the absence of perfect blocking, detection and response need more attention so that incidents fail to become full blown breaches.