Remember the scam phishing emails you would get in the early-noughties presumably from a Nigerian prince in exile? The gist of it was that they had a trillion dollars squirrelled away that they needed help with taking out of the country. It also involved getting you to send them some money. A lot of us fell for the scam, this was before Googlemail was a thing and back in the era when every email as treasured and read twice.
With time, the crooks grew smarter and their crookery got more sophisticated. Irrespective of how nuanced and complicated the process got, it always boiled down to that one thing. Sending out an email to extort money.
And you know what the saddest bit is? It is still the most successful way of making money for cyber criminals. Do you kn0w how much money the scam artists behind the WannaCry ransomware made? The one that tanked the NHS, affected 73 countries and disrupted major utility companies in Europe? A measly $72,000. Compare this to the fact that 1 in every 14 phishing emails is successful. Then do the math on how many of these emails are being sent out every day and every hour- to extort and to terrorise.
The problem begins and ends with humans.
The official statistic for how many cyber attacks are a result of employee carelessness/laziness varies between 72 percent and 90 percent. Even though the percentage varies, it is still eye-wateringly high. As a CISO said to me the other day: “There is no kill switch for breaches resulting from human error.”
So the question now is: can the superior advances in technology not help solve the problem? How about machine-2-machine, Artificial Intelligence and machine learning? Turns out, it can only complement the work of us humans. The love fest around AI is apparently a case of Emperor’s new clothes.
Said Simon Crosby, CTO Bromium: “The math around machine learning was done 100 years ago by Alan Turing. The attackers have changed their ways. Data is already encrypted. Identifying something is right or not or a change in tactic has led to Wannacry, which is potentially catastrophic. Turing’s legacy is being writ large with Wannacry.”
And then there is newer research saying that IT employees are not concerned by the possibility of a breach. What could possibly lead to this lack of empathy and loyalty?
Does the lack of caring show a deeper disconnect between businesses and their employees?
Dr Jessica Barker thinks there is more to it: “There are a lot of cultural factors around cyber security. Often IT workers can be made to work very hard and long hours. They may feel like they are not appreciated. Oftentimes, being seen as geeks in the basements can lead to a rise in resentment.
“The worst kind of cyber-attacks use psychological drivers too! Spear-phishing is all about making an attack deeply personal. They try to evoke curiosity…”
If there was an email from someone I know asking me to click on a link to check out photos of an event I have been to, I am very sure I will fall for the bait.
Wouldn’t you too?
It is all a bit too Machiavellian- someone’s always had control over information, and others have always tries to steal it. As my current favourite book on cybersecurity: The Cuckoo’s Egg says “Sneakiness finds new expressions.”