As if cyber attacks could not get any worse, there are reports of a first fatality suspected from a cyber attack, a patient in Germany died from delayed treatment allegedly due to ransomware. This and the recent cyber-attack that brought down New Zealand’s stock exchange (NZX) are grim reminders that bad actors never sleep and are capable of overwhelming cybersecurity teams – and especially now, during a pandemic.
An analysis of the cyber-threat landscape across Asia throws up an uncomfortable picture. Findings from a 2020 Data Threat Report - Asia Pacific (APAC) showed that an alarming 45 per cent of 500 APAC executives surveyed admitted to suffering a breach or failing a compliance audit. Cybercrime rates are the highest concern in Singapore at 69 per cent. The findings come as workers across the region are working from home due to Covid-19, often using personal devices which do not have the built-in security which office systems do, significantly increasing the risks to sensitive data.
There is also a disconnect from the grave reality. Some 34 per centof APAC respondents state they are “not at all vulnerable” to internal threats. The silver lining though, is that security spending has increased - Australia and China had the highest percentages of countries that reported exceeding 2020 security budget, at 50 per cent and 47 per cent respectively. New Zealand and India had the lowest percentages. Some 47 per cent of Asia-Pacific organisations also plan to spend more money on data security in the upcoming year. Indonesia at 68% had the highest percentage of any country that said its data security spending would increase.
This paranoia over cyberthreats is not unfounded. One of the most potent cyber-attacks is through phishing – an attack using a disguised email to trick email recipients into revealing personal or sensitive information – which has become a growing concern, aided with sophisticated social engineering.
Phishing is no longer confined to emails. Attackers are becoming more creative and looking at baiting users through frequently used applications such as popular messaging platform WhatsApp, which has an estimated 1.5 billion active monthly users globally. WhatsApp is reportedly the fifth-most impersonated company in phishing attacks, with a staggering 13,000 percent increase quarter-on-quarter growth in phishing URLs. WhatsApp leads other social media as the platform most exposed to phishing attacks, as professionals increasingly rely on chatgroups to communicate. This surface yet another vulnerability for businesses – that of “lazy phishing”, where attackers target any means to get whatever they can get.
Lazy phishing is like fishing with dynamite. It uses applications that employees deal with daily. Apart from social media, Microsoft 365 is the most popular application for phishers to loot data. Malicious parties know that Microsoft regularly asks you to enter your data. Phishers will send emails that appear to be from Microsoft and lure you to what looks like an authentic Microsoft login page. While alarm bells go off for most users, the bad news is that they can also exist in a more advanced form, sent through an email, from a sender and link to a page that appears trustworthy or legitimate. If successfully executed, such an attack provides malicious people with access to personal information and money. So how do we avoid falling prey?
Continuous training & increase awareness
Many employees think that they can recognise a phishing email and would never fall for a fake Microsoft page. However, it is not that simple. In 2017, a test by ABN Amro generated a lot of attention because many employees failed the test. They responded to the phishing email because they were promised a Christmas gift. Attackers often use this technique as they know many recipients are curious enough to click. It is important to look carefully at the sender of the email and the URL. In addition to training, organisations should conduct regular simulations and exercises to enhance the awareness of cyber threats among their employees.
Use a company page
Do you ever check the URL of a page yourself? Chances are, employees do not always do this. You can limit the risk of malicious parties stealing login details by using a company-branded page. This ensures that when login details are requested, it is only done via a company-branded page. The page should be easily accessible by employees and difficult for a malicious actor to copy. This results in the lazy phisher being exposed sooner and the attempted data theft thwarted faster.
Get rid of passwords
It is possible to do away with passwords and still be safe, as there are security systems set up for this. You not only tackle the lazy phishing challenge, but also that of password fatigue. You also eliminate the risks associated with employees who recycle easy passwords. With password-free authentication, the identity of users is validated through other reliable methods such as one-time password, hardware tokens and biometric data. By combining these methods, the level of security can be greatly enhanced.
While these tips can arm you against phishing, you should – as a consumer – also ask some hard questions around how your data is being protected. For example, ask why your data is collected by an institution, what and where it is being used for, how it is processed, how will it be stored and how it will be deleted as hackers can use traces of data to extract ‘deleted data’. Whether you are a business or a consumer, you must take precautions to avoid being the weak link to your organisation.
The writer is the director of security for Thales in Singapore, responsible for growing the Critical Infrastructure Security and Cyber Security businesses.