Dubai: There is a new frontier in the battle for online security: Offline security.
In an industry where every connected device, mobile network, and Wi-Fi connection is seen as a threat, some experts argue the biggest risk is the human being at the other end of that connection.
“We’ve done a really good job of protecting networks, infrastructure, and hardware,” said Martin Mackay, senior vice-president of cybersecurity firm Proofpoint, “but the challenge is that the cyber criminals are incredibly clever, and they’re going to look for the most vulnerable point of the organisation.”
“And the most vulnerable point of the organisation is essentially people,” he added.
Research suggests that around 91 per cent of cyberattacks start with an attempt to lure someone in to clicking on a malicious link that then takes control of their system, often referred to as phishing.
“Smart people can be duped,” Mackay told Gulf News at cybersecurity conference Gisec on Monday, “this isn’t just a bot using brute force.”
“This is incredibly clever behaviour.”
The now-infamous Democratic National Convention hack — which took place ahead of the 2016 US presidential election — was believed to have been triggered by a number of high profile officials, including campaign chairman John Podesta, falling for such email phishing attempts.
Often, Mackay said, hackers would attempt to compromise the systems of employees at companies because of the access they possessed.
Using the example of a bank, the executive said it would be more beneficial to hack a loan manager than the CEO, because having the authorisation to approve a transfer of $250,000 (Dh918,250) provided sufficient return on investment.
Proofpoint says it provides intelligence to companies on who their most attacked employees are, and why they’re being targeted.
“We practice a big education programme with companies, to target the most crucial people,” he said.
This education seeks to open employees’ eyes to the often-subtle threats they face via email every day, and trains them to be aware of how their online footprint might be manipulated.
Social engineering of the paper trail many leave online plays a big role in phishing attempts, according to Mackay.
Using the example of people who state they are volunteers at dog shelters on Facebook, he said that attackers would use this personal information to create a sense of urgency.
“They’ll say there’s a stray dog that’s going to die” if the user doesn’t log in to a spoof website immediately, he said.
Even oversharing on LinkedIn could cause trouble.
“Fundamentally, without getting too existential, we trust people,” Mackay said. “If I put up my job title [on LinkedIn], the bad guys might wonder what level of authorisation I have to approve transactions, and so on.”
“If I say I’m a loan approver at a bank, them I’m an absolute target.”
Mackay said that rather than telling people to minimise their online presence, Proofpoint simply advised company employees to be more aware of what was an authentic email, and what was a phishing attempt.
“Our recommendation would just be to be aware” he said. “It wouldn’t necessarily be to come off LinkedIn or come off Facebook.”