By Peter Sparkes
EACH time we hear of a phishing scam, we tend to believe that it would never happen to us. After all, aren’t we tech-savvy individuals who read and send emails on a daily basis, and therefore will naturally be able to sniff out suspicious emails with ease?
Easier said than done. Today, cybercriminals are much more sophisticated than we think, and have since evolved their cyber-attacks tactics in a bid to stay one step ahead of us.
Today’s advanced criminal attack groups echo the skill sets of nation-state attackers, adopting corporate best practices and established professional businesses for more efficient attacks. However their victims are not simply the government or big corporations, but the average employee.
Investing in security technology can secure our networks and endpoints, but none of these are effective against human errors. Cybercriminals now exploit what they perceive to be the weakest link in the chain—humans. Cybercriminals are now creating stealthier spear-phishing campaigns that target fewer individuals within a small number of select organizations to remain below the radar of the security industry.
Targeted attacks are often aimed at unsuspecting individuals, such as secretaries or mid-level managers, who have access to valuable information. In other instances, cybercriminals may pose as a supplier, customer or job seeker sending emails with an attached document containing malware.
These advanced attacks are part of a rising tide of sophisticated, well-resourced and persistent cyber espionage attacks. Over the past year, we saw a 55-percent increase in spear-phishing campaigns targeting employees. Singapore, ranks first in Asia Pacific and Japan (APJ), and third globally, in terms of spear-phishing/targeted attacks by destination, with an average of 3.6 cyber-attacks per organisation.
Advanced professional attack groups increasingly leverage zero-day vulnerabilities, using them for their own advantage or selling them to lower-level criminals on the open market. In 2015, the professional hunt for zero days drove a record-breaking 54 zero-day vulnerabilities, a 125-percent increase from the year before.
Zero-day vulnerabilities make good profits, commanding prices as high as hundreds of thousands of dollars on the black market. Furthermore, these vulnerabilities can appear in almost any type of software, but the most attractive to targeted attackers is software that is widely used on a daily basis by consumers and professionals.
So how should both businesses safeguard themselves from these attacks?
- Don’t get caught flat-footed: Use advanced threat and adversary intelligence solutions.
- Employ a strong security posture: Implement multi-layered endpoint security, network security, encryption, strong authentication and reputation-based technologies
- Prepare for the worst: When it comes to security, nothing should be left to chance and knowing Murphy’s Law, it is better to be safe than sorry. Your security measures should encompass any and every possible breach scenarios.
- Provide ongoing education and training: Establish simulation-based training for all employees as well guidelines and procedures for protecting sensitive data on personal and corporate devices.
Cybersecurity is not just about employing the right kind of technology, it also requires good digital hygiene on the part of everyone. Education and greater awareness of cybersecurity issues will help everyone to become more digitally healthy. By being aware of just how many risks you face, you can reduce them, and learn how to recognize symptoms, and diagnose “digital diseases” before they put your data, and your customers’ data at risk.
****
Peter Sparkes is senior director for Asia-Pacific and Japan at Symantec Corp. The views Sparkes expressed here do not reflect that of the BusinessMirror’s.