Enter your details below and we'll get back to you.
Ever since Charles Darwin introduced the theory of evolution in 1859 we have been aware of the continual process of change in the natural world. Things are no different in the world of crime. When money was held in bank vaults, criminals used ingenuity and cunning to steal cash and valuables. These were the days of safe crackers and criminal masterminds, of explosives and getaway cars, of cops and robbers. But change, as we know, is inevitable. As our business practices moved online, thieves developed a new modus operandi, developing their skills as cyber criminals.
During this evolution, data replaced diamonds and the nature of criminality evolved. Just like Darwin’s findings, we have seen an explosion of mutations which respond to individual environments. And just like the species Darwin studied, it is evident that the process does not stand still. What we must remember in this scenario however is that the evolution of cyber crime is vastly accelerated by ingenious minds, who are continually seeking new ways to attack.
We know that the main advantage hackers have is their ability to respond with agility to the changing face of data security. While businesses are often addressing the issues of yesterday, they are looking at the potential attacks of tomorrow. So while businesses shore up their online defences, testing for known threats, cyber criminals are developing their technical skills and identifying new strategies.
A recent example of this was the spyware injected into a vulnerability within WhatsApp. Although the gap was swiftly patched by WhatsApp we saw a new threat: the spyware could be injected into the smartphones of individuals via a cleverly crafted call, without them even needing to answer. Once installed the spyware could turn on a phone’s camera, scan emails and messages and collect the user’s location and data.
Another development has been the increase in phishing attacks. While automated tools scan incoming emails for threats, phishing attacks rarely contain anything which can be identified. Phishing attacks simply exploit the human element, lulling unsuspecting individuals within a company into a false sense of security and persuading them to part with access details into network systems. Claiming to be from trustworthy sources, these emails, texts or websites may appear, at first glance, to be genuine. And they can disappear almost as quickly as they appear, making it hard to identify or trace them. The first many know is when they discover their system has been breached.
One particularly ingenious type of phishing attack first appeared in 2017 but is still being used because it preys successfully on the unsuspecting and (potentially) vulnerable. These are the fake job adverts which get people to complete application forms which divulge sensitive personal information. Sometimes these scams trick individuals into calling premium rate phone lines for interviews, participating in money laundering via work-from-home scams or paying extortionate fees for non-existent background checks, online training, visas or insurance. SAFERjobs, a non-profit organisation created by the Metropolitan Police, claims that in the last two years we have seen a 300 per cent rise in recruitment-related fraud.
So how can we defend ourselves from these ever evolving threats? Vigilance and caution will go some way to protecting us. Staff awareness and training are also invaluable strategies. But to really outsmart some of the smartest minds we need to think like them. We need to move from being one step behind to one step ahead. We need to examine our own systems for weaknesses, to probe, test and constantly amend our business practices.
Any business wishing to gain a current and valuable knowledge based around the day-to-day threats facing all staff members can enlist a trusted third party to simulate social engineering attacks and provide follow-up training to make sure any knowledge gaps are filled. The team at SRM can safely and securely build an attack scenario to test how the organisation would respond to a real and malicious attempt of this nature.
In addition, a full test and exercise strategy includes a thorough examination of your Business Continuity and Incident Response plans and can include policy reviews and a report full of suggested remedial actions. In short, there are a great many ways in which we can seek to evolve in the same way that today’s cyber criminals do. And moving into the second half of 2019, it has become very evident that the most dangerous thing is to do nothing.
To find out more about how SRM can help you contact Mark Nordstrom on firstname.lastname@example.org
Or visit our website.
Follow us on Linkedin.
Or see our blog: