While global spending on cybersecurity is expected to reach an incredible $124 billion this year, there’s still a 60% risk that your company will get hacked. And it won’t come cheap: The average cost of a single successful attack is a whopping $2.4 million. Considering the amount of money thrown at this problem, how is it possible that this cybersecurity crisis remains unsolved?
The devil is in the details, but so are the answers: Of the money companies are spending on cybersecurity, only a tiny fraction goes into staff trainings that can turn employees into a crucial pillar of digital defense. So far, that pillar remains awfully fragile, even though more than 90% of all cyberattacks start with a simple email directed at — staff. From ransomware to key loggers and secret backdoors that give criminals access to internal data, it often comes down to the average office worker to know which email to ignore and which attachment to skip.
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.” Kevin Mitnick
Two other trends are contributing to this crisis, because they render traditional anti-virus scanners and other software solutions increasingly useless: (1) A spike in attacks that don’t require victims to download any malicious file because hackers exploit vulnerabilities in software that is already installed on the computer, and (2) a shift from mass phishing to highly targeted spear phishing attacks. Around 77 percent of attacks accounted for in a 2017 study were “file-less”, meaning they did not need the recipient to download anything — a simple click on a malicious link was enough. The increase in spear phishing attacks also means that malicious emails have become more difficult to identify, both for humans and for software solutions that claim to protect us. More than 70% of criminal groups that are staging cyberattacks are using spear phishing to trick their victims.
Where does all of this leave us? Every day, millions of corporate teams handling highly valuable information are targeted by sophisticated attacks that easily evade the expensive technical solutions that are supposed to stop them. Surveys suggest the majority of employees is vastly undertrained, receiving little support that will help them make the right decision where virus scanners, firewalls, and spam lists routinely fail. Perhaps, the best remedy is to invest as much in your staff as you invest in your technology — possibly even more. A capable trainer who can help turn human vulnerability into the first line of defense will cost only a fraction of what will be wasted once a single hacker gets his way.