Cyber-attacks have become a thriving and profitable industry for criminals, a fact that is evidenced by the increasing number of well publicised and high profile attacks over the past year. By Simeon Tassev, director of Galix.
The majority of these attacks, which are often perpetrated against governments and large organisations, use phishing and other social engineering methods to steal confidential information, putting both the business and customers at risk. However, while technology is essential in detecting threats and mitigating their effects, user awareness is critical.
Even the most sophisticated intrusion prevention and detection solutions cannot prevent human error, which is often the biggest vulnerability. Organisations need to implement a combination of appropriate technology along with education that helps to enforce security policies and processes.
Some of the most high profile cyber-attacks in recent months have all been aimed at obtaining personal and sensitive customer information. There are many examples of this, including the recent U.S. state department breach where Russian hackers obtained access to the State Department’s email systems. In 2014, eBay was the victim of hackers who stole personal records of 233 million users between February and March. The information included everything from usernames, passwords, phone number to physical addresses. Domino’s Pizza experienced a similar attack whereby hacking group Rex Mundi held the company to ransom over 600 000 Belgian and French customer records for the amount of $40 000.
Most recently, the Ashley Madison scandal saw the extramarital affairs and casual dating website hacked and held to ransom for thousands of confidential customer records. Security experts have said that a single employee was likely the cause of this breach, highlighting the human element in preventing cyber-attacks.
The common factor is the sensitive information that is targeted for theft, which may include payment information such as credit card details. These type of hacks, while they may sometimes be the result of sophisticated tools and software, are more commonly caused by human error. Hackers will target organisations with legitimate-looking emails and social media messages that trick users into providing confidential data, which may include their account number, user name, password and credit card information or even ID numbers. This information can be used for a number of purposes, including identity theft, credit card fraud, or gaining unauthorised access to systems.
While all of these examples occurred in international organisations, local organisations are not immune. In January this year, Business Report warned local companies to take heed of cybercrime as it is on the increase in South Africa, with losses totalling an estimated R5.8 billion in 2014 alone. In addition to these losses, statistics show that it takes almost up to six months on average to identify a breach, giving criminals plenty of time to extract the information they require and cause serious harm. Not only are companies held to ransom over customer information, their business reputation is also at risk. Depending on the severity of the incursion, customers may be lost, trust eroded, new customers may be difficult to obtain, or the business may have to shut down entirely.
According to the 2014 Global Report on the Cost of Cyber Crime from the Ponemon Institute, 13% of the annual cost of cybercrime for companies is the result of phishing and social engineering. In addition, according to the Kaspersky Lab study ‘Financial Cyberthreats in 2014’, 28,8% of phishing attacks carried out in 2014 were intended to steal financial data from users – another form of confidential and personal information.
A comprehensive security awareness program is part of the Payment Card Industry (PCI) best practices for preventing data breaches around financial data such as credit card information. This will not only help to prevent theft of payment card information, but also any confidential information that cyber criminals may be targeting. Given the prevalence of the human element, particularly around phishing and social engineering, this is an aspect of security that simply cannot be overlooked.
In a digital era, information is key, and it has become clear that there are many ways to make money from stolen information. While credit card data is an obvious target, cyber criminals also use other personal information for financial gain. The rise in cyber-crime, as well as the introduction of legislation such as the Protection of Personal Information (PoPI) Act, means that protecting confidential information is crucial to prevent the dire consequences of a breach. Policies, procedures and technology are all important aspects, but at the end of the day human awareness is key to the success of security and vulnerability protection.