“Amateurs hack systems, professionals hack people.”
- Bruce Schneier (Author and world-renowned IT Security Expert)
Technical controls are no longer sufficient
Technical controls have failed us. An organisation can deploy firewalls, anti-spam solutions, DLP systems, anti-malware software, application whitelisting, egress filtering, virtualisation sandboxing, anti-virus software and a host of other technical defences but still get hacked. If anything, it is often the security infrastructure of organisations that has lulled many of them into a false sense of security.
Cybercriminals know it’s easier to gain access to sensitive information and critical data by targeting an individual user, rather than trying to penetrate IT systems. The rise of cloud computing, the Internet of Things (IoT), and unsecured personal devices being used to access business information can mean only one thing: it’s easier than ever for a hacker to breach your IT security.
Data is no longer within the confines of perimeter defences
Before the migration to the cloud began, sensitive business information was stored and protected on-premise. Organisational data is now spread thinly across various devices, services, and vendor offerings. Now that traditional perimeter defences are no longer enough to protect IT systems, organisations need to have a comprehensive understanding of how far and expansive their data reaches are. They also need to understand the key role that is played by their employees and third parties in protecting data.
“90% of all 2016 breaches happened because someone fell for a phishing email or some other social engineering gimmick.”
Humans inadvertently clicking on malicious email is a leading cause of data breaches
Email continues to be a virulent attack vector. According to the Trustwave Global Security Report 2017, “90% of all 2016 breaches happened because someone fell for a phishing email or some other social engineering gimmick.” It only takes one user to open an infected email attachment or click on an infected URL to inadvertently install ransomware or malware on a system. Cryptographic ransomware can have grave implications for your organisation. Ransomware attacks cripple systems, making data inaccessible and severely interrupting business processes.
Victims of ransomware in Ireland have included businesses that range from advertising agencies (Ogilvy and Mather) to pharmaceutical manufacturers (MSD). Similarly, malware, such as keyloggers that record the input of usernames and passwords, can result in hackers having complete access to email accounts, cloud servers and other data sources. Highly-targeted spear-phishing campaigns have open rates of up to 70% for untrained users. Security is a process where humans play a key role now more than ever.