100 cyber security professionals were asked by Intel-McAfee to look at a selection of real and fake emails and separate the two. Something you’d think they, as experts, would be highly capable of.
However, the results were shocking.
Only six of the experts got them all right. Most of the experts could only identify six or seven of the ten emails correctly. If that’s the best the experts can do, what hope you might say is there for us “normal” folk?
This one-in-three chance of letting a fake email slip through your defences explains why email phishing has proved to be an evergreen criminal tactic. And one mistake is all it takes to open the virtual door to malware or hackers. In the 20 years since they first emerged as a threat, phishing emails are still persuading people into click-away their personal data or download malware.
And the costs of a data breach show no sign of falling. According to a UK government-backed report last year, the “starting point” for a large business to recover from a security breach – counting the cost of business disruption, lost sales, recovery of assets, and fines and compensation – is now £1.46m.
Small businesses might face smaller costs, a mere £75,000, but that may still cripple their finances if not their business entirely.
The same research also makes clear who is to blame: “inadvertent human error”.
It appears we are making honest but elementary mistakes. When it comes to identifying and dealing with digital risks, the human brain is clearly falling short and in need of some assistance.
But are computers any better?
It seems not. Computers aren’t perfect. They can’t identify every fake email – some slip though the net. Many traditional cyber security tools take a long time to correctly identify a data breach.
Malicious attacks can take an average of 256 days to identify, according to the Ponemon Institute’s 2015 Cost of Breach Study: Global Analysis. Meanwhile, the data breaches caused by human error take an average of 158 days to identify. The words horse and bolted spring to mind.
Two-thirds of the time IT staff spend dealing with security alerts is also spent on handling false-positives or false-negatives. Incorrectly identifying a potential threat is a waste of precious business time and resources.
What’s needed is a faster, more accurate way of identifying threats and dealing with them. We need something faster and smarter than the technology that’s already in play. We also need something smarter than we are.