What comes to mind when you think of the causes of data loss? Hacking, viruses, natural disasters, power outages, and user error are the common culprits. But don't you think we tend to sort malicious, cybercriminal schemes and user error into separate buckets. When you review many security reports, the two appear mutually exclusive. In reality, they're more closely related than you'd think, as we depict in our latest humorous video.

User error, for instance, takes many shapes. It could be due to flippant behavior like leaving a computer unattended or knowingly accessing low security websites on company devices. Then again, it's harder to blame humans for being the agents of their own demise when you consider the prevalence of intelligent social engineering tactics that subtly break down security defenses in an organization.

In fact, findings by Federal Computer Week as relayed in a Security Intelligence article reveal that 59% of survey respondents believe "most information technology security threats that directly result from insiders are the result of innocent mistakes."

What Do We Mean by User Error?

According to IBM's "2014 Cyber Security Intelligence Index," 95% of all security incidents involve human error.

OK sure, that sounds significant enough. But how do we define that human error?

It turns out that that 95% figure is largely due to email phishing, a form of social engineering. In the report, IBM claims the most common contributor to user error is "double clicking on an infected attachment or unsafe URL." 

As you can see in the first part of the following video, however, this is how we tend to think it goes down:



Hidden Layer of Social Engineering 

Sure, avoiding email spam seems like a no-brainer, but what do you do when these messages aren't so...spammy? Social engineering is defined as "any act that influences a person to take an action that may or may not be in their best interest." Hackers now recognize that victims are more skeptical of what once fooled them before and have adapted these sinister tactics. While the vehicles for attacks - malicious links  - and their triggers - clicking - may be the same, the ways they are executed are anything but. It's very easy to assume an email with language like "WARNING: YOUR ACCOUNT HAS BEEN COMPROMISED. CLICK HERE TO VERIFY YOUR IDENTITY. HAVE YOUR SSN AND CREDIT CARD INFORMATION ON HAND" is a hoax. That has email phishing written all over it. 

No, many attacks are trickier now. Hackers understand that this is how you think of scams and gain your trust in other ways. And they're getting really good at it! Social Engineer, Inc. created an awesome infographic, sharing shocking stats about this trend. According to the research they compiled, 90% of all email is spam and viruses, with phishing representing 77% of all socially-based attacks, and the most common phishing attacks being ones that mimic banks. Bank of America isn't exactly a Nigerian prince, is it?

It is worth noting that like user error, the meaning of phishing is constantly changing too. Attackers have realized that users may now be more skeptical of links in emails. Enter: malicious attachments. Oh and don't stop there! Who says phishing can only be done through email?? As the digital landscape extends, so does the attack surface.

It's Easy to be Fooled 

Let's look at an example from Information Week Dark Reading's "The 7 Best Social Engineering Attacks Ever." In 2013, followers of the Associated Press news wire service Twitter account casually scrolled through their feed and found the following horrifying tweet:

"Breaking: Two Explosions in the White House and Barack Obama is injured"

After the tweet was live for all of a minute, the stock market began plummeting before AP quickly announced that their account had been compromised. Clearly, this is an example of the very real implications social engineering attacks like phishing can have. How was this attack launched? Staff at AP received an email that appeared credible, coming from another staffer with no neon signs of foul play. As taken from Dark Reading's article, this is how the email read:


Sent: Tue 4/23/2013 12:12 PM
From: [An AP staffer]
Subject: News


Please read the following article, it’s very important :


[A different AP staffer]
Associated Press
San Diego
mobile [removed]


The article points out that the only red flag here is a different name in the email signature, but is otherwise trustworthy. Examine some of the ways the Syrian Electronic Army hacktivist group tricked these recipients. Do you always use proper grammar and punctuation in your internal emails? Observe the extra space before the colon. Could the email not seem more legitimate by the very fact that it looks like it was written in a hurry? Also, the URL isn't hidden behind anchor text and follows the subfolder URL structure of their site. Tricky, right?!

This is just one example of sophisticated social engineering contributing to user error, but the possibilities are endless. The hacktivists gained access to AP's Twitter handle when the staffers clicked that link, but who knows what other personal information they could have obtained had they tweeted a different malicious link from that hacked account? The Associated Press has 5.21 million followers, just to put things in perspective. 

How MSPs Should Respond

At the end of the day, risk mitigation all comes down to proper end user education. You may already have security awareness programs in action, but perhaps it's time to dive deeper. Yes, careless behavior is a very real threat to data security and many of your end users may not know how dangerous their actions can be. I'm familiar with that MSP and IT technician facepalm moment that happens as a result. It's frustrating and absolutely necessary to address these vulnerabilities.

But some user error isn't that simple to prevent when malicious forces are constantly at work, targeting even technologically-savvy clients. It's not enough to tell clients not to do something. You have to explain how these cybercriminal processes work so that they can become more critical and cautious end users. Don't assume they know. They likely don't. Lastly, make these trainings regular. Holding a security training program as part of your client onboarding process is a good first step, but you have to follow up because 1) cybercrime is constantly changing, as are its methods of attack and 2) do you remember everything you first learned when you joined your company?

See also:

What other dangers should MSPs watch out for?