The conversation around Cybersecurity has taken precedence in the technological age among cyber experts like Arun Vishwanath of New York. And the recent burning issue in cybersecurity is Spearphishing Attacks. Incidents like the 2016 breach that compromised 20 million federal employee records at the Office Personnel Management, and the US ransomware attacks that in three months cost over $200 million, are all because of spearphishing. “Old-school” or generic phishing attacks used to trick recipients into responding to emails with personal financial information. Now spearphishing attacks are far more vicious; they persuade victims to click on a hyperlink or attachment that deploys ‘malware’, granting attackers access into the user’s computer or entire corporate network. The reason behind our inability to stop such attacks is ‘Social Engineering’, where the attacks are highly personalized, making detecting the deception really hard. Technical defenses like antivirus software and network security monitoring are to wade off such attacks, but through spearphishing, attackers assume the role of trusted insiders and legitimate users, rendering the need for protection useless.
The main target of spearphishing attacks is humans, so we need to build better defenses around people. This requires understanding why people fall victim to such attacks in the first place, for which experts like Mr.Vishwanath have built SCAM (Suspicion Cognition Automaticity Model) with simulated spearphishing attacks to record the weaknesses in people’s online behavior. They recorded two primary reasons behind people’s victimization. One is their natural instinct for “cognitive efficiency”, seeking maximal information with minimal brain effort. They take mental shortcuts that are triggered by logos, brand names, etc. The second is their inherent misconception that online actions are safe, lowering their defenses. Moreover, the habituation of technology usage, where people routinely check their messages, social media, emails while doing other things simultaneously, leads to largely reduced mental effort in the activity.
This is where the model by experts like Mr.Vishwanath comes in, which lets companies measure each employee’s susceptibility to spearphishing attacks. This allows them to equip each employee with discerning online practices that they lack, making them more conscious, aware, and responsible users.
For more information, please click on https://www.arunvishwanath.us/2016/05/05/cybersecuritys-weakest-link-humans/