A firewall might be the first line of defence against scammers and cybercriminals, but the biggest weakness and the biggest strength is human vigilance.
According to Cyber Magazine, a human element is involved in 82 per cent of global cyberattacks. “Becoming a ‘human firewall’ is one of the best measures organisations can implement to prevent the most common cyberattacks”, says Nick Frantzen, acting country manager at global cybersecurity leader, Fortinet.
“You are your own best line of defence. If people are not trained to understand what a cyber threat looks like, it can give the bad guys access to their money, their data and their workplace systems.”
There are plenty of misconceptions about cybercrime, often because threats evolve rapidly to stay ahead of those trying to prevent them. For instance, the notion of a highly motivated, sophisticated attacker—as seen in the movies—is outdated. Frantzen says assuming hackers are only gunning for specific targets might instil a false sense of security.
“You might think, ‘why would those people bother zeroing in on me’. But, in fact, attackers are better than ever at delivering large-scale automated attacks. You’re simply another digit somewhere in their system. They’re opportunistic and they aren’t even aware of who you are, or what type of business they’re attacking. They’re just looking for ways to monetise access without knowing the terrible human cost behind it all.”
There are also movies where some kind of message pops up to let a person or business know they’ve been hacked. In reality, it takes an average of 277 days for business to identify and contain a breach, according to research by IBM. Cybercriminals will sit inside a system like a parasite, finding weaknesses and exploiting them for maximum financial gain.
While there are still plenty of cybercriminals in areas like eastern Europe, the profile of attackers has broadened. Individuals across the world have turned to cybercrime, from savvy teenagers still living at home through to recently laid-off tech experts looking to make a quick buck.
The nerdy well-meaning hacker of popular fiction is a dying breed. Instead, criminals who previously dealt in violent and hands-on crimes have expanded their operations into cybercrime.
“The Covid-19 pandemic opened up new avenues for attackers,” Frantzen says. “People working from home were a juicy target. Instead of technical experts doing this for fame and notoriety, the market has become more sophisticated. You can now buy software to participate in cybercrime with updates, renewals and price lists. It’s a rich and thriving ecosystem, which makes it all the more terrifying.”
Training improves digital security
Although it’s humans who are the weak link in most digital crimes, only 44 per cent of organisations have internal security training and education in place, according to the Fortinet 2023 State of Operational Technology and Cybersecurity Report.
The potential cost of a cyberbreach is high yet the cost of training is low. Fortinet offers a free course available to any businesses with up to 25 employees. Improving the ‘human firewall’ at any organisation will protect the business and will also help each person reduce their own risk of being scammed. For individuals, CERT NZ has some outstanding resources and practical advice.
Phishing a leading cause
One cybercrime movie trope holds true: the easiest way to get access to a big organisation is to get an individual’s credentials. Remember the scene in Ocean’s 8 where Nine Ball, Rihanna’s character, designs an email about Wheaten terriers to phish a target? The top method of entry for corporate ransomware has, for several years, been email phishing, according to the Fortinet 2023 Global Ransomware Report.
“We’re seeing a rise in the use of authorised credentials to attack organisations,” says Frantzen. “The criminals have a real password and login, often harvested through confidence schemes or password re-use rather than malware or any advanced technological attack.”
“It might be that the employee signs up to a personal service at home and uses their work password. When that service is attacked, they have the employee’s name and password, and the first thing they do is try it against a bunch of other services and your workplace.”
“You can no longer rely on a ‘sniff test’ where spelling and grammatical errors tell you it’s a scam,” Frantzen says. “With artificial intelligence and ChatGPT, it’s easy for anyone to make an email or text read naturally.”
Finally, don’t overlook children’s devices. These can be a threat to your household or your work-from-home business. “Kids are heavy digital users, and they present just as much risk as adults,” says Frantzen. “Fortinet has also released a children’s book to help teach them about safety online because you should make sure they’re also updating systems, looking out for suspicious links and not re-using passwords.”
For more information on Security Awareness Training click here.