Although online communication had already covered the various aspects of inter and intra-organisational communication, it is at an all-time high in 2020 due to COVID-19. The aspect that enterprises and cyber-security companies have to worry about is of cybercrimesthat can be committed through this huge interconnected communication network. And above all, email communication is the one that remains at a position of maximum risk as it also contains the most sensitive and significant information about individuals and businesses.
According to reports from Mimecast and year-after-year State of Email Security Reports, 74% Saudi-Arabian businesses and 73% Oil & Gas industry leaders across the globe believe that they are susceptible to an email-borne attack this year. The reason for such believe is that the Oil & Gas industry is one of the major sources of global income generation and they are most likely to be targeted by cyber-criminals.
Here is a detailed assessment of the security risks to email security in 2020.
- Cloud Susceptibility –Cloud susceptibility or cloud vulnerability constitutes of four different aspects: Misconfiguration, Poor Access Control, Shared Tenancy Vulnerabilities, and Supply-Chain Vulnerabilities. Misconfigurations are the most common vulnerabilities as they are self-inflicted. These often happen because of lack of training and/or understanding. On the other hand, poor access control vulnerabilities happen because of weak authentication and/or authorisation processes. However, shared tenancy vulnerabilities are quite rare due to being complex in nature. Cyber-criminals who are able to determine the software and hardware used in a cloud architecture can take advantage of specific loopholes. Nonetheless, this is not an easy task as it requires an extremely high level of skill to accomplish.
Lastly, supply-chain vulnerabilities are also quite rare and sophisticated in nature and are not within the reach of average hackers. Although such attacksare the responsibility of the cloud service providers,in any case, businesses have to ensure that they have a good cyber-insurance that’ll cover the losses in case of any mishap.
- Cyber-Threats Backed by AI–AI is rapidly becoming an integral part of a range of email security services and systems. However, at one point where security systems and software use AI for improving their capabilities, the same AI can also enable hackers to bypass security shields and firewalls of your email security. Cyber-criminals can use the machine learning capability of AI in their favour and produce false identities. And not to forget threatssuch as AI Fuzzing (AIF)and Machine Learning Poisoning (MLP). While AIF allows enterprises to detect and resolve vulnerabilities on their end, it can also enable hackers and cyber-criminals to initiate and automate attacks.High-end machine learning programs are quite capable.So much so that they can understand the pattern of time-delay while typing passwordsbetween each key and estimate the right password. This, however, takes some time, but when it recognises different types of patterns, the email account remains at high risk.
- DeepFake –These are high-quality fake videos and images that are often cultivated with the help of AI-based deep learning. Theseare weaponised images and videos that can potentially damage a person’s image, affect business relations and even cause them to take erratic business decisions. And this is not it! Deepfake technology can create high-quality fictional images and audio from scratch,making it a severe security threat to the security systems that use voice recognition and facial recognition as their primary methods of authentication and/or authorisation. Along with that, cyber-criminals can also use deepfake to disrupt industrial segments such as media, entertainment, finance and even public elections.And the technology being readily available, anyone from amateur enthusiasts to professional cyber-criminals can make use of it.
- Social Engineering Attacks – These are the worst kind of cyber-attacks as most cyber-criminals who use such techniques often rely on their interpersonal communication abilities to talk people out through a trap and extract important information. Social engineering attacks can range from simple bait emails to fear mongering or impersonation to whom the target interacts quite frequently such as a colleague or a bank teller. Apart from baiting, social engineering cyber-attacks can also happen in the form of scareware, pretexting, phishing and spear phishing. And among all, spear phishing has better success rates as professional cyber-criminals spend weeks and even months in planning and executing such attacks.
Here is a social engineering attack life cycle that’ll help you better understand its approach and modus operandi.
Step (1) Investigation – Identify the target, gather background info, choosing the right method
Step (2) Hook– Engage the target, spin a story/create fear/curiosity, take control of the communication
Step (3) Play–Execute the attack, disrupt the business/ask for ransom
Step (4) Exit–Achieve the objective, cover tracks/traces of malware, bring the situation to an end
Conclusion: The technology is evolving and the threat of data breach and hacking along with it. Entrepreneurs have to keep in mind that as the technology keeps evolving it will present new avenues for cyber-security services companies so that they can opt for stronger security measures. However, cyber-criminals also use the same technology that will keep the cyber-security service providers on their toes.