Furthermore, according to the Cisco 2018 Annual Cybersecurity Report, 65 percent of email is spam and 8 percent of that spam is malicious. 38 percent of malicious files arrive via email and in Microsoft Office formats such as Word, PowerPoint and Excel. Symantec reported that in 2017, 71 percent of all targeted attacks started with spear phishing to infect their victims, attacks that install backdoor malware on devices.
All of this is a big deal for enterprises. In the U.S., phishing scams cost businesses up to half a billion dollars per year, while attackers use ever-more sophisticated ways to get users to open phishing emails: one scam, with emails disguised as airline flight confirmations, tricked employees into opening them 90 percent of the time. Phishing is a successful tactic. So much so that there are now 1.39 million new phishing sites created each month according to security firm Webroot.
My home of Hong Kong has recently been hit with major phishing attacks, with the Hong Kong Monetary Authority (HKMA) in January 2018 alerting the public to a phishing attack on banking giant HSBC, while bitcoin traders in Hong Kong have also been on the receiving end.
Why is phishing so successful?
One reason phishing has become so successful is that users and organizations are experiencing information overload, or "infobesity," through the sheer scale of data generated and transmitted every day. The knock-on effect of today's data explosion can be that users end up being less cautious about what emails they open and therefore less likely to detect phishing attempts.
Cybercriminals are astute enough to recognize this and take advantage of it, by customizing content and leveraging users' own shared social media information to create tailored, authentic-seeming emails. Users are often insufficiently trained about phishing and how it is used to deliver ransomware, and this, coupled with the sheer amount of data they handle each day, makes phishing a good "percentages" attack method.
Email security more vital than ever
Ransomware attacks are the fastest-growing cyber threat around today, and phishing is its number one delivery mechanism. The driving force behind this is simply that phishing emails are simple to create and send and provide attackers with a faster return on investment (ROI). Victims are drawn onto the hook of a social engineering scheme and lured to carry out actions with no thought for the malicious consequences – basically, the less aware the target victim is, the better the chances of the attack's success.
As has always been the case, the human factor is the weakest link in the security chain. Attackers can persuade and deceive employees in numerous ways to gain critical access to sensitive data, but one thing stands out in its consistency: email.
The future of ransomware
Ransomware's simplicity and ease of use will continue to make it a popular line of attack for cyber attackers, and its methods of approach are evolving: in the past year or two, ransomware attacks began targeting industries that have little option other than to pay ransoms, such as healthcare, small and medium businesses (SMBs), governments, critical infrastructure, NGOs and education bodies. Ransomware attackers know these kinds of industries carry valuable or sensitive data, often find it difficult to fund IT capabilities and are typically subject to regulations that can tie them up in red tape and stop them having efficient backups in place.
It looks like ransomware is here to stay and will only continue to evolve as cyber attackers become increasingly sophisticated in their activities. Enterprises must take every step they can to protect themselves against it.
What can organizations do to protect themselves?
Protecting against phishing and ransomware means a lot of training. At face value, it might seem a simple approach, but training your employees to be aware of phishing as a threat and to question emails before they open them, even if they are only remotely suspicious, is the bedrock of securing your organization against attacks. Similarly, organizations should regularly remind staff to be vigilant, think safety first, and if employees do receive what they think is a phishing email, do not open it, do not download any attachments from the message, never click links in that message, and report it.
One good countermeasure employed by CIOs is to "allow" staff to make errors within a protected sandbox environment and to learn from these "mistakes" in the real world. From a technical standpoint, the IT department can disable macros from being run on computers on the corporate network, as attackers often use macros to execute malicious code and deliver malware payloads.
Another important method of defense that companies can employ is to implement solutions that identify phishing emails upon arrival at the network perimeter and stop them from even reaching the employee's inbox.
Taken together, training, security countermeasures and the right anti-phishing solutions can make your organization a safer place. The watchword now and in the future is vigilance.
You can protect yourself against ransomware and phishing. Read the new Orange whitepaper featuring research from Forrester, "Ransomware Protection: Five Best Practices."
Edmund Yick is General Manager of Orange Business Services in Hong Kong and Taiwan. He is responsible for developing and managing the Orange Business Services portfolio of business solutions for multinational enterprises.
He has over 30 years of sales and management experience and is a Commerce and Business Administration graduate of the University of Toronto.