According to the Securities and Exchange Commission (SEC), the average cost of cyber breaches it studied increased an astounding 50 percent in 2018 – hitting $7.5 million.
In the past, one of the most frequent breaches relied on bare-bones phishing attacks sent out in bulk to compromise user credentials – often hitting the rank and file who unwittingly clicked on links that allowed attackers to gain access to devices and networks.
What has changed and will continue to grow in 2019 is the alarming increase in more sophisticated and microtargeted spear phishing attacks. According to the 2018 BDO Cyber Governance Survey of 145 co-directors at public companies, there was a 70 percent increase in spear phishing attacks in 2018.
These attacks – custom designed for the individual user and increasingly spoofing communications from executives in what is known as “whaling” – leverage personal information secured in advance, often from a prior breach. Tech Republic reports that more than 90 percent of cyberattacks and the resulting data breaches now begin with spear phishing attacks.
Whereas it was often easy to discern the more rudimentary phishing attacks of the past due to misspellings, poor grammar or just a lack of institutional branding on the messages, the latest evolution of spear phishing makes it harder for end users to discern whether a communication is truly from a trusted source.
The elements of the spear phishing attack are well designed to impersonate a familiar colleague, boss or business partner, and/or timed to land in the recipient’s in-box with an urgent message or specific details when an action is expected – all in the hope that the user will be fooled into thinking the message is legitimate. These attacks especially target specific personnel who have access to critical data and finances – IT, accounting, finance and human resources, and even the top dogs in the C-suite.
For instance, in November the U.S. government, think tanks, law enforcement agencies, and media, pharmaceutical and business information services companies were all targeted in a large spear-phishing campaign by the same hacking group that hacked the Democratic National Committee in 2016. The messages claimed to be from a U.S. State Department official and had links to a compromised, legitimate website that had been hacked earlier. From that base of operation, the hackers could then compromise the credentials of unwary users to gain access to the networks of the other organizations as well.
Pivoting at the Speed of Cyberthreats
It is hard for organizations to pivot at the speed of cyberthreats they face today. In fact, many organizations still rely on traditional usernames and passwords in the false hope that this will help them beat back the spear phishing beast. Sure, security products on the market today can detect and often prevent users from clicking on malicious links. Yes, you can and should continue to proactively provide regular security awareness training for employees to put up that crucial first wall of defense.
None of that is enough. In fact, if that is all you are doing, you’re putting a big bullseye on your corporate infrastructure. It only takes one breach to compromise your organization’s resources and, ultimately, its bottom line. That bullseye gets magnified even more – and the costs rise exponentially – once you go beyond your local network and start reaching out into the cloud to manage your business applications.
The vast majority of identity management solutions, by themselves, are almost useless. Usernames and passwords are a trap to make you think you’re secure from spear phishing attacks, when in reality you are far from it. In fact, Verizon’s 2018 Data Breach Investigations Report says stolen credentials are the most common cause for breaches.
What is needed to more effectively combat these more sophisticated spear phishing attacks today is to combine identity management with multiple factors of authentication. However, multi-factor authentication in its current form can come with its own baggage – it can be too expensive; it can be too difficult to manage and maintain in the case of physical and even SMS tokens; it can be inconvenient to roll out to the entire organization; and it can make the life of end users much more complicated.
Even using biometrics as a factor of authentication has its own holes. Hackers can figure out the code for the specific body part used for authentication or create/steal a copy of the biometric data – such as for your fingerprint or eye. Once they have that information, they have your identity.
Focus on Context of Access
The goal for any organization should be to create a strategy to enable a more secure environment where you know who the end user is and where they are – while making the end user’s job easier all day, every day. Context of access is at the forefront of this shift.
With Context of Access, deciding whether to grant access involves far more than correctly identifying users and confirming their authorization level. Enterprise organizations can combine multiple factors of authentication along with the user’s credentials to create much stronger access control. This can also be done behind the scenes, so it is no additional burden to the end user.
One way context of access is making security stronger is by binding the user’s credentials to a specific hardware device (or multiple devices) – so even if someone is able to steal/phish a user’s credentials, the hacker still could not get in because they didn’t have the authorized hardware device. You can also combine the user’s location and security certificate, or even to check if the anti-virus for the device is up to date. Context of access enables you to uniquely identify users, more effectively control access to critical resources, and prevent stolen credentials from compromising your organization.
Additionally, as one or more of those attributes change, your organization can set security policies to allow or deny access – either totally or partially. For instance, if a user who was connected through a laptop on your secure, internal network moves to a public Wi-Fi connection at the Starbucks down the street, the user’s authorization for access can change along with it. A user accessing information is not just that person and his or her credentials – it’s also that person’s location, device type and status of the device, among other factors. This is what we mean by context of access.
With context of access, your organization can consider any combination of factors for how access is provided to users, allowing you to detect and manage the complexities of almost any scenario imaginable. This provides significantly greater control over providing or blocking access to each specific resource – while not placing an overwhelming burden on the end user. In fact, in a world where “security” typically means more work for the end user, organizations who use context of access can actually make access easier for your users…while making your organization much more secure.
In today’s always-on world, when users may access your network through as many as three or four hardware devices, managing access plays a critical role in ensuring the security of your organization’s infrastructure. Organizations that can marry the identity of devices with the identity of the users, and then use the context of access to thwart hackers – even those hackers who are trying to use compromised credentials to do long-term damage to your network and organization.