There is no denying that cybersecurity should form a key part of any business strategy, so why do high-profile data breaches keep occurring? A lot has been written about how such attacks are becoming the norm, but reconciling the risks of an attack with an appropriate business strategy remains a significant challenge.
While larger enterprises are indeed getting far more vigilant and taking measures to mitigate the chance of a breach, humans remain the biggest threat to even the most comprehensive cybersecurity strategy.
A new report aims to shine a light on how and why business leaders are caught off guard by such attacks, looking at how business leaders can be made aware of the risks of a destructive breach and the damage that can be caused. I also spoke with Candace Worley of McAfee about how we can utilise the best of both humans and machines to effectively and efficiently combat cybersecurity threats.
Phishing for a way in
The report by secure collaboration platform Wire, entitled “Odds of a Bad Bet,” illustrates the risk of cyberattacks using “odds” compiled by World Series of Poker champion and science communicator Liv Boeree. These odds compare different levels of cybersecurity threats and link them to everyday events and common casino tropes. The premise of the report is that for businesses to implement an appropriate cybersecurity strategy, business leaders must fully grasp the risks they are facing in order to permeate good cybersecurity practices throughout an organization. The odds compiled by Boeree put the risks of poor cybersecurity awareness into stark focus. Boeree states that “there is a 50/50 chance of your company suffering a costly DoS [Denial of Service] attack over the next twelve months,” and that the chance of avoiding a malware attack in the coming year is “as unlikely as pulling the Ace of Spades from a shuffled deck on the first try.” One particular element of vulnerability that the report keeps returning to is that of email systems and the people using them, building on the widely cited statistic that email phishing is the root cause of 96% of all data breaches.
To put the risks of phishing attacks in perspective, Boeree draws from her experience in casinos, claiming that “your chances of spotting a phishing email are as slim as hitting a specific number on the roulette wheel.” Boeree also finds that “an employee is three times more likely to infect a colleague with a malicious email than they are to spread flu to a partner.” This particular threat is not likely to die down any time soon, and phishing attacks are becoming increasingly sophisticated to the point that Google itself struggles to catch them all. The fight against phishing may soon be buttressed by a younger generation of workers, however, who are used to using secure and encrypted communication platforms such as WhatsApp and Snapchat in their personal lives, and expect the same level of protection in their professional communications. The expectation of a high-level of security from the incumbent workforce, and the view of email as antiquated compared to platforms such as Slack, Skype, and Wire, could help to spread good cybersecurity practices within an organization and complement existing cybersecurity strategies.
Humans and machines
Despite the persistent threats of phishing attacks and human oversight, larger enterprises do in fact understand the risks and have strategies in place to specifically target these problem areas. “Most organizations have become pretty diligent,” says Candace Worley, vice president and chief technical strategist at McAfee, “if you’re large enough to have a dedicated security team then you’re already doing security awareness outreach to your employee population.” As the largest attack surface of any organization, email phishing is understandably a major priority for these enterprises. “Most of the enterprises I work with actually send out fake phishing emails to their employees,” says Worley. This strategy helps to identify those people who are consistently falling victim to even seemingly obvious phishing attacks, and Worley argues this practice “is an integral part of keeping cybersecurity diligence at the front of your employees minds.” In McAfee itself, these “phishing expeditions” also serve to keep employees on their toes-”at least in our company, if you click on that email and have to go to training then people are going to shame you, I assure you!” jokes Worley.
Raising awareness around cybersecurity is just one piece of the puzzle, however, and Worley details how instruction-led automation and advanced AI can be used to address other pressing issues. “Many organizations are now using instruction-led automation in patching known vulnerabilities,” says Worley, “that in and of itself significantly improves an organization’s defence against hacks.” Cybersecurity automation should be applied where it will be most helpful, however, and not as a catch-all solution to a very nuanced problem. “For any given enterprise, there are an average of 3.2 billion security alerts per month-out of those, 31.3 events are actual credible threats,” states Worley, “AI is designed to sift through data where it would be impossible for a human to do so.” While both instruction-led automation (when patching, for instance) and advanced machine learning techniques are incredibly useful tools to improve efficiency and efficacy of cybersecurity, Worley is clear to point out that “human-machine teaming” is still very much necessary. “AI really has no common sense to determine acceptable or malicious anomalous behavior,” she states, “so much information is derived from experience and is not documentable, and AI can’t incorporate that into its learning.”
Hedging your bets
Cybersecurity is a multi-faceted and ever-changing problem that will only become more challenging as technology advances. Helping business leaders and indeed employees to easily comprehend the risks-by comparing the chances of being hacked to a coin flip, for instance-is a crucial step to implementing a comprehensive cybersecurity strategy to avoid the risk from the opening of a single email.
Leveraging automation to tackle both routine and complex threats is also going to be increasingly important, as the ability of AI to both perpetrate and defend against attacks increases. Leaders of all sizes of organizations are certainly waking up to the risks posed by a rise in internet-enabled systems, and the ever-improving abilities of hackers looking to exploit any vulnerability to gather sensitive data. Educating people to be more vigilant against the most common attack surfaces, and using automation to address larger scale threats will be the best defence against pernicious threats both old and new.
Edit: At time of publication, Candace Worley is no longer with McAfee
Originally published at https://www.forbes.com.