Andrew Parsons, UK partner and cyber security expert at international law firm Womble Bond Dickinson
With targeted and increasingly sophisticated phishing scams continually on the rise, the ever-evolving world of digital communication presents the optimal backdrop from which fraudsters can readily strike. For local government, the big challenge is the wide range of information that is held often about vulnerable people or highly sensitive information. For example, children services or support for the elderly, medical records, or matters involving social services. Moreover, local councils naturally interact with a great many people but on an infrequent basis which means it’s not uncommon for them to be contacted by someone they have never spoken to before, and this makes it easier to impersonate someone to phish for information.
How can local government protect systems and people from cyber threat and what part does human behaviour play?
Practically, there are processes and checks which can be put in place to mitigate the risk of phishing scams, but in the first instance it’s important to understand the different forms they can take.
The different forms of phishing
Employees may be able to spot the more obvious phishing emails as they tend to have a couple of common themes; they either look completely innocuous or they tap into fear, for example “your bank account has been hacked”. Hackers will often tailor emails to topics relevant at the time and they will certainly tailor it to seen relevant to an organisation. A seemingly urgent email from someone imitating a senior member of staff is relatively simple to execute as this information is online for all to view.
People often expect to only be exposed to phishing through scam emails, leading them to wrongly assume the legitimacy of phone calls and divulge information. In a recent global report by Mutare, over 47% of businesses reported that they had experienced some form of voice phishing, or vishing, in the last 12 months.
Vishing occurs when someone phones you with the intent of deceiving you into sharing personal data with them. As a method of phishing, it came before email but has been making a resurgence in recent years. Large organisations are often targeted and should be extra cautious in terms of employee training and have complete clarity on which information employees are allowed to pass on over the phone.
Multifactor Authentication (MFA) fatigue attacks is a strategy used to get around multi-factor authentication and usually take the form of fake emails repeatedly requesting access information from someone. This can lead to the recipient eventually getting so frustrated they either turn it off or hand over security codes.
MFA fatigue attacks are relatively new, sophisticated methods, however in reality they make up only a small percentage of attacks. Phishing emails are still the most common threat, and, in these instances, it is a numbers game; the hacker will send hundreds or thousands of phishing emails to an organisation looking for that one click, playing the odds and hoping they can get past the barriers for at least one individual.
Is your supply chain vulnerable?
Supply chain attacks more commonly occur when you have outsourced part of your operations, such as your HR department or payroll, for example. Rather than trying to hack you directly, the hacker may go for one of your suppliers who have weaker security and are linked into your systems.
It's not personal
Whilst people often think they have been personally targeted by the hacker, in most cases they haven’t – it is pure opportunity.
In less targeted attacks hackers don’t make decisions based on ‘interesting information’. The market value of the data is irrelevant, it’s what the value is to the organisation, to you. They will scan the internet and pick the lowest hanging fruit. That said, if they can, hackers will look to target different and specific demographics, for example the aged, the less experienced in roles and the vulnerable
Only a small number of hacker groups are using data to commit fraud, they aren’t stealing data to exploit it, they are stealing it to either sell or ransom it. There is a whole industry and eco-system based around the buying and selling of stolen data, running behind hacking attacks. In terms of how you get this information back; in most cases they send a ransom note. Some even provide instruction manuals and operate helplines to help victims to make payment of the ransoms
Human behaviour – a vital piece of the puzzle
Human behaviour plays a vital role in ensuring organisations and people stay safe and protected from the threat of phishing.
In the phishing space, human behaviour is critical. Ensuring everyone in your organisation has had regular training so they know the signs to look out for, as well as having a level of consciousness about their own data security are key.
You can also subscribe to various threat intelligence services which keep records of all the current known ‘scams’ so you can set up systems to weed them out and filter before they even get through to inboxes. However, keep in mind that you can’t filter everything.
Andrew Parsons can support with helping organisations maintain good cyber security practices and handling to data breaches.
For more information, visit: www.womblebonddickinson.com/uk/insights/hubs/reconnect