User experience and productivity
“They’re out of IT’s control. Some are more secure than others but that’s not really the point. It’s not something the IT department can report on or test. Applications like Gmail and Dropbox are very common and are normally turned to when someone needs to share a file.”
Data Solutions offers the Citrix file sharing product ShareFile that has been designed to offer enterprise-class security but with a consumer-grade user experience.
“File sharing always seems to be the first thing that creeps into an organisation from the consumer world. ShareFile has that easy to use consumer touch and feel that users expect and want and will stop them moving over to something that’s not IT sanctioned. At the same time it keeps data within IT’s control so it needn’t be in the cloud,” said O’Haire.
“A lot of consumer solutions are actually in the cloud and because of that they perhaps break rules in terms of where data lives and of course they don’t work with the reportability and compliance issues that organisations come up against.”
Where companies do actively facilitate the use of consumer technology in the workplace in the form of bring your own device schemes, that does not mean they are necessarily in the clear when it comes to responsibility. Presuming that employees are up to speed on protecting the company through their online behaviour can be a serious mistake.
“Most Irish employees aren’t particularly tech savvy. The fact that many are allowed to use their own devices or bring them into work can lead to an expectation that they have more of an awareness of security issues and how to properly use their devices but I don’t think that’s the case at all,” said Ken Bagnall, chief executive of The Email Laundry.
“The opportunities for people who are using social engineering to phish users are just enormous now because the average person has a Dropbox account and a Facebook account and a LinkedIn account and maybe an online music account and so on. There’s a high probability that they use at least some of those, so any of them can be used as phishing attack points and there’s a chance that they will click on the mails.”
As soon as a person’s username and password are compromised from a data breach, social engineers will immediately test it across as many services as they can and, according to Bagnall, inevitably they will find the same password being used on most of them.
“One of the services they use will be an email account such as Gmail or Hotmail, which will give the hacker access to the ability to reset passwords for everything else. The opportunities for cybercriminals are ridiculous now with all the tools out there that are supposed to make people more productive.”
In the majority of cases, cybercriminals only need to find one link in the chain to reverse engineer a person’s entire digital life, including their work accounts. The result is that it is becoming increasingly lucrative for criminals to focus on this rather than so called real world crime.
“There’s more money lost through cybercrime than through normal crime in each economy each year and yet it’s the one kind of crime that’s not really covered by the police. They have very limited capability to do anything about any of it but economies around the world are leaking vast fortunes out through cybercrime,” said Bagnall.
Just one form of phishing scam, the so called CEO fraud has apparently netted over $2.4 billion (€2.26 billion) in the US over the last three years according to the FBI. The scam consists of cybercriminals sending e-mails to staff of companies that purport to be from their boss, hoodwinking them into transferring cash to the fraudsters.
“In the UK, enormous amounts were lost to cybercrime and the great majority was from phishing-relating incidents. The UK office for National Statistics recently started asking people about their experience of fraud and online crime and it estimates the total number of cybercrimes committed there in the year to the end of June 2016 was 3.8 million,” said Bagnall.
“If you imagine that spread over small businesses then just think how much each of them is being hurt and damaged by. it’s very significant.”
Bagnall said his company has carried out penetration tests for its clients on CEO fraud, and approximately 50% of those contacted replied to fraudulent emails.
“It’s cleverer than it sounds. It starts with a very small email that seems to be from the boss and just says ‘Hi Mary, are you at your desk?’ and inevitably people write back with what they were doing that morning, not just ‘yes I’m at the desk.’ It’s a very small psychological trick but once somebody has started an email conversation with you, it’s as if they have authenticated you in their mind,” he said.
“The person now thinks they are in a conversation with that person and they imagine their face in front of them when they’re communicating with them. It takes about five e-mails to persuade someone to transfer money.”
Training and experience
It is here that companies need to make sure that their employees user experience includes training to spot phishing attacks along with the kind of everyday normal behaviour that cybercriminals routinely take advantage of.