Please ensure Javascript is enabled for purposes of website accessibility

Forget about the firewall Employees are first line of defense against cyberattacks

Anurag Sharma, principal with WithumSmith+Brown’s cybersecurity services.-(AARON HOUSTON)

The first anecdote cybersecurity expert Anurag Sharma went to for a client’s experience with a cyberattack was not one involving a highly adept plundering of vulnerabilities in a company’s complex digital security network.It instead started with a simple email from one of the client’s executives to the HR department, asking for a report loaded with employee information, such as Social Security numbers. The HR department’s head complied, and asked the executive in person later if he received the report and needed anything else.

His response? “What report?”

Sharma, a principal with WithumSmith Brown’s Cyber & Information Security Services Group, said the client learned that a spoofed email account closely matching the executive’s had tricked them, compromising the personal information of 1,000-plus employees.

As Sharma and other cybersecurity experts will tell you, some of the most detrimental cyberattacks a company can face — even with all the advances in technology that have been made — come in the form of bogus emails, the internet’s first and still most effective mode of attack.

It sounds like an absurd notion — that millions can be spent on the best of firewalls, but that a single mistaken click on a bad email link or attachment can sink the ship. But the truth is, as industry experts say, it’s just much easier for cybercriminals to do that than come up with ways to get past advanced security programs.

The logic behind it isn’t complicated; Sharma used a quote from internet pioneer Bruce Schneier to convey it: “Amateurs hack systems, professionals hack people.”

Lindabury, McCormick, Estabrook & Cooper P.C. partner Eric Levine, an attorney specializing in cybersecurity, said the approach is one that exploits features inherent to human nature.

“It’s preying on people’s inquisitive side,” Levine said. “And you can’t buy a firewall for that.”

As unsophisticated as it sounds, that’s why a cybercriminal might do something like leave a flash drive inside a company’s office that contains viruses that can activate when someone plugs it into a machine simply curious to find out what’s on it, Levine said.

“Yes, there are hackers who are out there who are trying to break through firewalls through different approaches, including state-sponsors actors, and there are many technologies to protect against that,” Levine said. “But it’s the social engineering — (stuff like) phishing scams — that capitalizes on mistakes people make that are the easiest tools to utilize.”

Phishing scams, an attempt to steal sensitive information through fraudulent email messages with links that direct people to illegitimate websites, are particularly popular today, according to Sharma.

He said these attacks have increased in frequency even within the past six months, though he added that there’s typically a ramp-up of these often identity-stealing attacks leading into tax season — for obvious reasons.

And although this technique has been around for nearly as long as the internet has, Sharma said social media has enhanced hackers’ ability to disguise it.

“If I’m a hacker and if I want to target the CEO of an organization, I want to come up with an email that looks as genuine as possible,” he said. “Research can be done on social media pages, such as looking up friends or potential clients on LinkedIn … to use language that makes it sound authentic.”

Even the worst email imitators can count on occasionally slipping through the cracks, owing to the fact that business executives can receive 200 emails or more in a day and that even a regular employee can have a daily deluge of emails.

“Another problem we see is that it’s tough for someone to fess up, so to speak, if they were the ones that clicked on the bad link,” Levine said. “They’re ashamed or afraid that they’ll be subject to discipline. And it’s part of the problem, because if employees don’t mention anything, then you’ll have a much harder time dealing with it upfront.”

In cases in which a slip-up does occur, Levine said that it’s important to encourage employees to notify someone immediately. He believes that should be emphasized by employers over the threat of an employee being held personally accountable.

“If you have an environment in which every time an employee makes a mistake like that they’re not going to tell you, then the ramifications are going to be much deeper than that possible discipline,” Levine said. “You could lose data and, worse, jeopardize personally identifiable customer information, potentially exposing you to liability under any regulation governing data.”

Even as a professional intimately familiar with the cybersecurity sector, Levine will admit he has nearly fallen for an email con that was later determined to have concealed malware. It’s only because he brought it up to information technology professionals he works with that it was detected.

In promoting what he and others call the “human firewall,” cybersecurity experts stress the need for employees to have significant training on what to do when they spot an attempted attack and who to report it to.

“You see it in articles; there are two types of companies: those that have been breached and those that don’t know they’ve been breached already,” Levine said. “Employees are the first line of defense in dropping the rates of breaches very significantly.”

The statistics bear that out, given that various sources point to up to 80 percent of ransomware — an alarming threat to enterprises today — is delivered through traditional techniques such as scam emails opened by someone within an organization.

But then again, hackers wouldn’t be the nuisance they are if they didn’t know how to adapt.

Paul Rohmeyer, a professor at the School of Business at Stevens Institute of Technology who is conversant with cybersecurity-related research, said that, when it comes to eliminating risks in this area, there is no single best answer to reducing the incidence of cyberattacks.

“The way these attacks have been executed today doesn’t mean we’re going to be able to design risk treatments that are going to be effective in the future when these adversaries become more innovative,” he said. “That’s what makes an understanding of the nature of (cybersecurity) risk and the best approaches to treat it complicated.”

When examining an enterprise’s susceptibility to attack, Rohmeyer said, it’s difficult to identify how an array of risk dimensions may line up against a particular organization at a particular time with a particular set of adversaries using particular tools.

In short, no one has a crystal ball in digital form.

“This has been and challenge and it’s getting more and more substantial,” he said. “The ultimate reality we’re faced with is that we can’t view analysis of risk in the way we think we can.”

The takeaway for business is to maintain a good understanding of the threat landscape, but don’t count on the cyberattack playing field being the same forever.

“Staff has to be well-educated, well-prepared but also open minded to the fact that during any particular incident something might be happening that’s totally different — something that can’t be solved through the usual checklist of approaches,” Rohmeyer said.

Brett Johnson