21 February 2020

How cyber criminals really thrive


Cyber security is one of the fastest growing industries in the world. Companies selling everything from encryption devices to internet firewalls and network security systems are popping up all over the place. According to Statista, by 2023 the global market for defences against cyber attack and online theft – the so-called ‘security as a service’ market – will have almost doubled over six years to around a quarter of a trillion US dollars. That’s a lot of money: is it well spent?

Cyber security is a growing market because cyber attacks are on the rise as connectivity has increased. Almost half the world’s population has a smartphone, and over 60% of people alive today have access to some kind of mobile device. If you are a cyber-crook, those figures are music to your ears. Connected people are vulnerable – and potentially profitable – people.

But the most profitable targets are large organisations, or the people who belong to them, because they have data in vast quantities. And data means opportunity: it could be tradable data like social security numbers and credit card details; sensitive data which could open the possibility of blackmail; or technical data on products and processes that competitors want.

What is more, organisations also have processes that are digital. Destabilising or paralysing those process can create massive advantage for someone, even when the attack is transient. No wonder companies and governments are willing to spend ever-larger amounts on building defences to cyber attack.

Whether they are building the right defences is another matter. The kinds of things that companies like to spend money on are better network and web-access firewalls, more secure operating systems, better encryption for stored data and mobile communications, and ‘endpoint security’ for any devices connected to networks from outside the firewall.

These are the equivalent of fixed defences in warfare. They are easy to describe, easy to visualise, and easy to test in simulations. You can almost touch and feel them: that makes them an easy sell. Yet there is strong evidence that the vast majority of cyber attacks are enabled not by weak fixed defences, but by simple human error. Cyber criminals that target organisations almost always need to gain access to corporate networks before they can go to work. To do that they need to find an unlocked door. And it is almost always a human being who leaves the door unlocked.

According to the UK Information Commissioner’s Office, nine out of ten cyber data breaches in the UK last year were attributable not to defective systemic cyber defences but to human error. Global data from reports such as IBM’s annual Cyber Security Intelligence Index corroborates this. In fact, the true proportion of human error may be even higher – it all depends on how you define the term says Oz Alashe, CEO of cyber-security company Cybsafe. “It’s not just poor password security, or casual clicking on phishing emails. You also have network administrators failing to update operating systems, or software providers failing to patch flaws when they could have done so. Human error is almost always at work.”

The hacking of the US Democratic National Committee in 2015 and 2016 and the subsequent release of thousands of emails and other data via Wikileaks had an impact on the world that continues to reverberate, and may well have been instrumental in the election of Donald Trump.

It is a firm consensus among security specialists that the DNC breach was the work of two competing Russian-sponsored cyber groups, known to analysts as Cozy Bear and Fancy Bear. There is no mystery about how the cyber breach was accomplished: the modus operandi of both these groups is well known, as both use varieties of phishing attacks that rely on persuading targets to click on links that execute malware. These are classic human error attacks.

The STUXNET attack on Iran’s nuclear enrichment programmes was somewhat different, in that online connectivity played no part. The STUXNET ‘worm’ which attacked only certain centrifuge control systems manufactured by Siemens (systems which were covertly obtained by Iran) was spread by infected USB memory keys. But memory keys do not insert themselves – someone has to connect them to the network. Once again, the security door was opened by a human, not a machine.

Perhaps the most commercially significant cyber breach of recent years was the 2017 hacking in several different instances of the systems of the credit reference provider Equifax. Among other impacts of the cyber breach was the leaking of the social security numbers and dates of birth of around half of the adult US population, and the company has so far paid over $600 million in fines and class action settlements related to the breach.

Equifax was hacked on several occasions and in several countries, and once again it seems that the security flaws had a human face. In at least one of the Equifax breaches that flaw was simply that anyone could gain access to the company’s networks by entering the word ‘admin’ as both username and password on an access webpage.

These cases are well documented, the method of attack is known, and many organisations do recognize the importance of human error in data security. Research by Cybsafe suggests that at least 40% of companies in the UK are engaging in training programmes designed to increase human awareness of cyber risks. However, only 18% believe they are actually succeeding in addressing the problem.

There is a growing feeling among cyber security specialists that organisations may have to start thinking about security in a new way. One new approach would be to stop making a hard distinction between technology-based defences and human approaches. Experience shows that any systematic defence whether hardware- or software- based can by compromised by human error, and given enough time they will be compromised. Awareness training based on past events may help, but does nothing to address the fact that cyber threats evolve constantly.

“In the end you cannot eliminate all risk,” says Oz Alashe of Cybsafe. “What you can do is prioritise, and concentrate on preserving the crown jewels in any organization rather than securing everything which is impossible”.

Changing your password from ‘admin’ would be a good place to start though.

Click here to subscribe to our daily briefing – the best pieces from CapX and across the web.

CapX depends on the generosity of its readers. If you value what we do, please consider making a donation.

Richard Walker is a journalist and communications adviser to financial companies