There has been a sharp increase in the cybercrime practice known as spear-phishing in 2017, which are targeted attempts at tricking individuals into revealing passwords and sensitive information or allowing criminals access to secure networks, according to Symantec’s latest Internet Security Threat Report.
Santho Mohapeloa, digital distribution specialist at SHA Specialist Underwriters, notes that the report also reveals that other types of attacks – such as those that exploit flaws in secure programs or fully-fledged hacking of a company’s secure networks – are falling out of favour with cybercriminals.
‘It could be argued that this is due to the security measures protecting these elements becoming too advanced for the majority of cybercriminals, or it could be that the low hanging fruit is just easier to pick. Spear-phishing is now being used in over 70% of all cyberattacks, because users are still the most vulnerable part of any organisation’s cyber networks.”
Mohapeloa says that this highlights the increasing need for organisations to have strict cybersecurity policies in place, and to ensure that employees with access to secure company networks are regularly informed on how to keep their data safe.
“Spear-phishing attacks usually appear in the form of an email from a familiar and reliable source which an individual often conducts business with, for example a financial institution, revenue authority or even a trusted service provider. The email is usually an outright request for personal details such as bank account numbers or login details, or it could contain a link that downloads malicious software onto the user’s computer. In other cases, the correspondence could be disguised as a notice from a service provider informing the victim that their bank account details have changed. The aim could be to steal funds, gain access to confidential information, or even trick the employee into inadvertently downloading ransomware onto the company’s system.”
He adds that these attacks are often executed in a meticulous manner, fooling most into thinking that the attack came from one of their trusted sources. “Companies therefore need to implement cyber awareness programs, which have been proven to significantly reduce the risk of cyberattacks, and should consider using security consultants to implement the processes as well as monitor them.”
In addition, Mohapeloa says that Symantec’s study revealed another startling trend. “The report shows that instances of mobile malware have increased by 54% during 2017, meaning that companies who allow their employees to access local networks via their mobile devices, are increasingly at risk of having their systems infiltrated by cyberattacks. Companies should therefore make sure that their mobile device policies and security systems are robust enough to deal with such threats.”
Lastly, Mohapeloa says it is crucial that businesses protect themselves by obtaining comprehensive cyber liability cover from an insurer with experience in this line. “A suitable policy needs to include protection against cyber extortion, business interruptions, damage to networks, as well as possible liability claims from stakeholders who might have suffered damages as a result of a cyber breach.”
He adds that cybercriminals will increasingly focus on exploiting the human factor of organisations, as networks and programs become more secure. “This is why a combination of employee training, state-of-the-art security software and a comprehensive cyber liability policy is the only way that businesses will be able to ensure that all of their cyberrisks are mitigated,” Mohapeloa says.