With consumer phishing email at an all-time high and Business Email Compromise (BEC) costing Australian businesses $3.1billion since January 2015, it's more crucial than ever that people are aware of the ways attackers use to compromise your business.
BEC involves an 'actor' pretending to be someone senior an organisation, and requesting a colleague wire them across money or 'top secret' company information. Phishing is also a huge concern; many people don't question the 'from' field in the emails, even though there is no reason to trust the 'from' field.
Even if a company has a sophisticated email strategy, some phishing emails will always make it to the inbox. Verizon found that 30 per cent of targeted recipients open phishing messages and 12 percent click on malicious email attachments.
Tim Bentley, Managing Director of Proofpoint, told The Huffington Post Australia because email is the most widely-used communication for business, attackers will continue to find new ways to use it to their advantage.
"BEC is expected to intensify this year as cyber criminals set out to trick employees. This often involves an attacker sending a convincing email, pretending to be the CEO, CFO, or external vendor, and requesting a wire transfer or confidential information," Bentley said.
"You must make sure you educate your employees and create processes staff can follow if they suspect anything fishy. It's also important to invest in technology that can detect and classify these fake emails by analysing the reputation of the email sender automatically. Because BEC attacks often do not contain malicious links or attachments, they can fly under the radar of ill-equipped security technology."
Bentley predicts 2017 will see attackers opting for smaller, more targeted and sophisticated campaigns to send malware through email, rather than rely on the high-volume, 'spray and pray'' techniques.
"Attackers will research employees' personal information and activity online and leverage these details to convince them to click a link and/or download a document that subsequently infects their device."
Bentley believes the best way to combat against personalised, socially engineered attacks is to not just create awareness programs but also to deploy advanced email security solutions. These work by helping to identify and quarantine these emails before they ever reach an employee's inbox.
Itay Glick, CEO and co-founder Votiro told HuffPost Australia the three key elements to good protection are training, detection and protection.
"Training will only take you so far. When someone in the HR department receives an email from a job applicant with a CV, they will most likely open this file. They are simply doing their job and through doing so, can put an organisation at risk," Glick said.
"Good detection systems are important but often will pick up the issue only after the fact. That leaves proactive protection. A good, all-encompassing cyber security infrastructure that takes into account training, procedures, systems patching and systems hardening is a smart move, though it would not be sufficient to mitigate Zero-Day attacks."
Social media is a key cyber security threat as most organisations have some sort of social media footprint that attackers can piggyback off.
"We predict social scams and phishing will grow as much as 100 percent during the remainder of 2017, as attackers create fake support accounts to prey on customers seeking assistance. Cybercriminals use these accounts to steal customer login credentials, identity information, and financial data," Bentley, from Proofpoint, said.
"Organisations can protect both their brands and their customers from digital risk by ensuring that their social media footprints are constantly monitored and their social teams are made immediately aware of any fraudulent accounts that pretend to be associated with a particular brand."
SuperChoice CIO, Ian Gibson believes the biggest cyber security issue is passwords. People must be aware that using unique passwords is key to preventing major security breaches.
"If one employee is hacked, sophisticated hackers may then have the ability to hack their employers systems and gain access to confidential data and potentially funds. If an individual's bank account is hacked, generally there is a limit in the amount of money that can be transferred out of their account. Business accounts don't tend to have the same limits, so large amounts of cash can be stolen," Gibson said.
"This is particularly important for B2B businesses as potential security breaches can not only impact the business itself and its employees, but also its client base. We are constantly upgrading and innovating our security capabilities. A practical example of this is a voice authentication pilot we currently have underway, which uses two-factor authentication to optimise protection against cyber attacks."