“Everyone is part of our cyber security team,” said the chief information security officer at a private trust company in New York. “It doesn’t matter what myself or my colleagues do from a technical perspective. If I have one user who clicks a bad link or answers a phisher’s question over the phone, it’s all for naught.”
These are sage words from someone in the frontline against the onslaught of cyber crime. Such chief information security officers (CISOs) are becoming ever-more important to all types of organisation. So much so that their appointment is one of the requirements of last September’s ground-breaking New York State Department of Financial Services regulations covering Wall Street and other financial organisations.
Introducing these data security regulations is a move that no other state has undertaken and marks the seriousness of the threat against the financial sector, in which IBM calculates more than 200 million records were breached in 2016. The new regulation’s stipulations are relatively wide-ranging and include requirements for risk-assessment tests, multi-factor authentication, formal cyber security planning and policies, a duty to notify the authorities of a hack within 72 hours, and crucially, staff-awareness training.
Emails are still the biggest danger
This is an excellent starting grid, but the point made by the CISO at the head of this article is still the most telling. The biggest danger for financial organisations lies in the single slip by an employee clicking open a malicious attachment or link. That alone is enough to give hackers access to the entire systems of a large organisation, no matter how sophisticated its security. Emails are used in more than 70 per cent of successful hacking attacks, with criminals hiding malware triggers in standard files like Word docs, Excel spreadsheets and PDFs.
The result is that no amount of training will prevent cyber criminals targeting a specific employee with a spoofed email or phishing attack, tricking them into opening an infected attachment that appears to be legitimate. Unless, of course, an organisation has the technology to remove the threats from attachments without affecting the normal conduct of business.
Research confirms how vulnerable organisations are to phishing emails
A survey conducted by Glasswall among 2,000 office-workers at medium-to-large businesses in the UK and US revealed just how organisations are vulnerable to human error or ignorance. More than six-out-of-ten employees (62 per cent) admitted they do not usually check the legitimacy of attachments in emails from unknown sources, while a dangerous minority of 15 per cent said they always or usually trust email attachments sent by people they have never even heard of. More than eight-in-ten staff (83 per cent) always or usually open attachments in emails purporting to be from known contacts.
Among staff who were more alive to the dangers, invoices were seen as the primary document used by criminals to trick them, but only tiny percentages recognised the full scale of threats posed by spreadsheets or simple Word files.
Other findings revealed how too many employees have no sense of responsibility with more than one-in-five unwilling to report anything they had done that may have compromised security. There was however, a consensus among 61 per cent of employees that their organisations should install more technology to protect them.
The steps necessary to ensure security
The truth of cyber security is that employees will always be the weakest point in the chain of defences, whether through ignorance, irresponsibility or pressure of work. While the New York State measures are very welcome there needs to be more emphasis in every jurisdiction on technology and innovation, because it is quite apparent that neither employees nor current anti-virus defences will protect any major financial business.
Large organisations need to embark on a series of steps to thwart these threats so they can keep sensitive data protected from criminals and malicious agents. Firstly they must accept that emails are the main gateway for malicious code and ransomware. After analysing the nature of its email traffic, a business should must then decide which email-related functions should be retained or dropped. This is a necessity in order to operate safely, because criminals exploit the many functional elements in files (such as macros) as well as hiding code in file structures.
Since almost 98 per cent of files do not conform to the manufacturers’ original designs, the organisation needs to be capable of determining whether an aberration in a file is due to an attack, or something poorly written or configured. Once risks are understood, appropriate security solutions must be applied. Most organisations have all the standard border-controls, including firewall, anti-spam, anti-virus and even a sandbox. Yet they are still by-passed by targeted attacks, using socially-engineered emails.
There is no substitute for technological innovation
This requires a shift in thinking and the adoption of more innovative technology that establishes what should be in an email file, using the manufacturer’s standard as a baseline. Instead of trying to match AV signatures against the “bad” elements in a file, organisations need techniques that look for and validate the “known good”.
The reason is simple. Millions of malware variants are released by criminals every year and the AV industry cannot keep pace in its battle to assign them signatures. File-regeneration technology does not require signatures. It will validate documents against the manufacturers’ specifications down to byte-level and then regenerate “known good” versions that have been stripped of all the code that the business has decided it does not want to risk admitting. A clean and benign file is regenerated in its original format in fractions of a second, which can be sent out again and passed along without any interruption to business.
Of course, training has its place. Organisations need to reduce the risk of a single employee opening them up to a malware attack, so education will help reduce exposure and raise awareness of data security and best practice.
Businesses need to examine mobile device-usage too, since many smartphones and tablets are not equipped with advanced security solutions, making them capable of transmitting malware in documents.
While well-designed regulation that recognises real-world practice and avoids onerous burdens is to be welcomed, it must be accompanied by insistence on innovative technology that can stop dead the chief threats facing businesses today.
