What are the key trends within this sector, from password security to the need for security education at all institutions: schools, businesses, governments? Urban Schrott, IT Security and Cybercrime Analyst at ESET Ireland explores the answers to this question.
There is an online scam that has dwelt amongst us for over 25 years now. Millions upon millions of online users have encountered it, but despite many being able to recognise it, the reality is that there are still people who are deceived by it. For some it’s down to naivety and ignorance; for others simple curiosity. In the end, they all end up as victims.
In case it’s not clear what I’m referring to, it is the infamous ‘Nigerian scam’ or ‘419 scam’, that has only gained strength with the advance of technology and, over time, has spawned many variants which eventually migrated to email. Scams that offer something for nothing but turn out to require some form of advance payment, in return for empty promises of a reward, are often referred to as advance fee fraud.
After so many years, we still see messages on social networks and websites with the same type of ploy:
“A millionaire has left you €1,000,000!”; “You won the lottery!”; “You have been selected for a dream holiday trip!”, etc and the Covid-19 period even brought a few of its own variants, as people remain vulnerable to psychological manipulation and social engineering.
Cybercrime: Ruthless and efficient
Modern cybercriminals come armed not only with different types of malicious software and social engineering techniques, but also with ‘business plans’ for extortion and extracting some sort of payment from their victims. Cybercriminals are becoming increasingly ruthless, to the point that even industries such as healthcare are being attacked.
For a decade now, we’ve also talked about the growing trend of malware in mobile devices, we are seeing increases in cyber espionage, targeted attacks and privacy threats, IoT devices have been falling victim to attacks and the number of annual victims of ransomware continues to rise.
All these types of threats, which have developed over time, have one thing in common: the point of entry is often the user. Attackers continue to entice victims with deceptive emails and messages on social media, encouraging naïve and, in many cases, irresponsible behaviour.
We have reached the point at which we need to stop talking about security risks in generic terms. It is critical that users, whether corporate or individual, are aware of the types of attacks that can affect them. From email fraud to information theft, all threats must be taken seriously, and it is important to take the necessary measures both in terms of technology and raising awareness, to be able to avoid them.
The importance of awareness
At ESET we firmly believe that security is not only a matter of technological solutions, but we also need to help each other when it comes to protection. Most computer users still do not have sufficient training on this topic and while many recognise the threats to their computers, they do not have the same awareness when it comes to their mobile devices and their IoT devices. We see threats continue to spread to all types of devices that are connected to the internet, and that handle sensitive data. It is vital to be aware of security at all times from personal devices with a WiFi connection, to critical infrastructure.
Technology’s rapid advance equips cybercriminals with increasing numbers of tools they can use for cyberattacks, and this won’t stop if users are not educated about them. We cannot allow its increasing sophistication to enable it to turn against us.
“Cybercriminals are becoming increasingly ruthless, to the point that even industries such as healthcare are being attacked.”
The means of protection must keep pace with the realities of cybercrime. This is why education is vital. If users come to recognise that using passwords as the sole means of online access presents a security risk to their personal data, then they can also recognise that using two-factor authentication, which adds a significant extra layer of security, will tilt the odds back in their favour.
The challenge, in addition to enabling them to recognise the threats, is to arm them with security tools that help them keep their information safe and secure. In the absence of such tools, the continued growth of threats and attacks is all but guaranteed.
Likewise, the best way to guarantee the confidentiality of information is to make use of encryption technologies for all forms of communication. As for ransomware, the best way to protect yourself from permanent loss of personal information is ensuring proper – including offline – backups are in place for the most sensitive or important data.
However, the adoption of these technologies starts by acknowledging the threats, which can only happen if there is a base of users who are educated and able to determine what they should be protecting themselves from, and thus the best way to protect themselves.
Education makes a big difference
For all of us working in the world of information security, no maxim has proven truer than that which says the weakest link in the chain is the end user.
There is an increasing volume of security information available, but the number of people who are skilled enough to perform the tasks necessary for defence is dangerously low. We must, therefore, see education as the fundamental factor that makes the difference. Given that training new professionals to work in information security will not happen immediately, the focus of the immediate future should be on building awareness among users of basic internet security measures.
So, the big challenge for those of us who are responsible for security is to turn ourselves into the first line of defence of information. Educating users about current threats and how they spread can make all the difference in reducing the impact of cybercrime in the future. We should not forget that security is the responsibility of everyone and not exclusive to those working in IT.
These days, information is equally critical whether handled by a reporter or by an executive; and even more sensitive for healthcare professionals and the medical records they handle on a daily basis. Active participation by governments and companies to protect this information is necessary.
We have reached a point where education on security issues must be handled in a formal manner, and companies should not simply relegate these issues to be covered as a one-off when inducting new employees. It must be a continuous and ongoing effort. End users must feel they are a part of the entire security chain and must understand firstly that these threats do exist, and secondly, that the necessary mechanisms to use technology securely also exist.
T: 053 914 66 00