“Approximately 90% of cyber-attacks start with a phishing email”

The Grid: As part of the InfoSec community detecting online vulnerabilities for clients, what are the most common cyber threats you see in the workplace today?

Paul Harris: If someone is determined to get into your house, they will and it’s the same for businesses as they increase their digital footprint.  There are something like 400,000 versions of malware, namely malicious software, detected every single day. A lot of this malware is recycled by other cyber criminals by making the slightest changes to previous versions. In the past year in the UK alone, 76% of businesses got hit by some sort of cyber-attack.

To avoid data breaches or massive financial and reputational damage, bigger businesses have usually taken steps to incorporate cyber risk into their overall risk assessment. We are often contacted by a business, like a telecom for instance, that has developed a new product or integrated a new business system into their existing one. They want to preempt an attack with a penetration test to stress-test the protections in place as part of their cyber defense strategy. Our elite team of ethical computer hackers (white hats) look for unknown vulnerabilities that can be exploited at any time. Increasingly, cyber security, has becomes part of the product lifecycle. Even the most robust and updated firewalls are only as good as what you already know.

Unfortunately, it is often the smaller businesses that take the risk and get hit.

The Grid: You have also identified phishing and CEO email spoofing as major threats.

Paul Harris: Yes, phishing is where hackers, posing as third parties, attempt to compromise systems to fraudulently gain access to passwords, bank account and credit card details etc. It is the most common kind of attack by far. Approximately 90% of all cyber-attacks start with a phishing email. The objective is to get the recipient to click on a link that directs them to a fake website to steal their personal information .

It all starts between the keyboard and the chair. If you’re not sure of the source of an email, check the domain (url) to verify it or contact the third party from which it has supposedly been sent. The best way to avoid it is not to click on any links in the email or download its attachments.

We are engaged to strip the malware out of the infected phishing emails if the business has been hit and also run phishing simulation campaigns to proactively help detect weak entry points.

The Grid: What would be an example of a phishing simulation campaign?

Paul Harris: Let’s say a client has rolled out a new pension plan to their employees. We create a page that is identical to what the employees are used to seeing and then see how easily the employees click on it. We then train employees to increase their awareness of the dangers of phishing.

This kind of campaign is the best opportunity that businesses have to reduce the likeability of an attack.

The Grid: Could you also shed some light on ‘CEO email spoofing’ scams?

Paul Harris: This usually happens in businesses where large sums are transferred across the globe on a regular basis. Someone hacks the CEO’s email account and sends an email to the Finance Director, for instance. The FD gets this urgent and authoritative email from the CEO along the lines of, ‘We need to transfer x amount of money urgently but it is part of an announcement due out in a press release next week so it’s imperative that it’s kept confidential’.

This kind of scam has also been used for urging employees to secretly send business plans, financials or intellectual property information etc.

The Grid: Finally, are ransomware attacks such as the biggest global cyber-attack in history, Wannacry, on the increase?

Paul Harris: Yes ransomware attacks are pretty unsophisticated and therefore preferred by many cyber criminals and the number of cases has ballooned. This kind of attack encrypts data and locks out the owner who is then urged to ‘unlock’ the data with an encryption key in exchange for a bitcoin payment.

The good news is that public awareness is high and therefore the financial reward from these ill-gotten gains is less attractive.

This is an extract from an interview with Paul Harris, Managing Director, Secarma.

Secarma presents you with an enhanced level of security to defend your critical networks and data, we work diligently with you to eliminate security holes to ensure your digital assets are secure from cyber threat. Our security solutions provide infrastructure assurance, application layer testing and vulnerability assessments.

Interview by May Khizam, Founder & Chief Strategist, The Grid Media Ltd

This article is provided as general information to readers of The Grid Media Ltd. It does not constitute, and should not be construed as, advice on any specific matter or advice on which you should rely, nor does it create any contractual, tortuous or fiduciary relationship. You should not act or refrain from acting on the basis of this information.