Tag Archives: anthem

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

Health Startups Go After 3 Pain Points

In my last post, I outlined the four dimensions that are defining the opportunities for health insurtech innovation: the health of the American people, marketplace trends, the role of regulation and the players.

Incumbent health insurers are pursuing legacy tactics to compete in the ACA world. There are big M&A approved (Centene/Healthnet) and facing regulatory challenges (both Aetna/Humana and Anthem/Cigna). Many are increasing premiums. Others are leaving the public exchanges (notably, United Healthcare withdrew earlier this year, and Aetna just announced its withdrawal from 11 of the 15 exchanges).

Innovators addressing the root of user pain points can influence how plans are selected and healthcare is consumed. The levers are not easy to move. Success requires compliant ways of combining big data analytics and personalization with user-centric digital experiences.

The headline of a recently published New York Times article, Cost, Not Choice, Is Top Concern of Health Insurance Customers, would seem to state the obvious. Yet insurers have expressed surprise at the policy mix and which plans are proving to be most popular. Carriers participating in the public exchanges report poorer actual performance than anticipated in premiums (lower) and claims (higher). Users are gravitating toward lower-cost plan options and show a trend to self-select into higher-cost plans when they know a big health care expense looms.

This is not just an issue for incumbents. Oscar, among the most visible innovators in the US health insurance marketplace, reported a $105 million loss in 2015. Lack of scale is a challenge, but the company has also been affected by the user decision-making dynamics affecting established carriers.

See also: Matching Game for InsurTech, Insurers  

The results suggest (at least) three pain points:

1. People don’t see value because they don’t understand what they are buying.

  • When people think something is too expensive, it is because either they cannot afford it (i.e., it really is too expensive) or the perception of value does not justify the price.
  • Reportedly one in seven employees do not understand the benefits being offered by employers, of which health insurance is by far the biggest piece.

2. People are being held accountable for health decisions that they are not equipped to handle.

  • Faced with a complex set of choices and opaque information, it is no surprise that many go for the easy option: saving money now.

3. People don’t always make rational decisions.

  • A basic primer in behavioral economics will tell you that emotion, bias and other limitations — not rational analysis — drive decisions and that people discount perceived upside relative to downside. There is not enough upside to pay more in the short term.

Players who manage to affect these behavioral drivers stand to gain. Here are examples of companies working the issues.

Connecting disparate sources of data

PokitDok creates “APIs that power every health care transaction.” They aim to enable data connectivity across the silos that in today’s world require manual navigation. They define an ecosystem including Private Label Marketplaces, Insurance Connectivity, Payment Optimization and Identity Management. The company closed a $35 million B round last year. PokitDok is a pure technology play. Achieving their vision could be the “holy grail”: better economics and better patient experiences and outcomes without owning underwriting risk.

Helping employers

It hasn’t been lost on the startup world that 150 million employees purchase health care via employers, which is why many companies are focused on improving the benefits buying experience and promising to help employers lower costs. The ACA requires that all companies with more than 50 employees offer health insurance. This aspect of the regulation, coupled with the fact that health benefits expense has risen steadily, provides a specific and large innovation space.

Competitors include:

Lumity, who reported raising $14 million last fall, acting as an insurance broker. The company claims to be “the world’s first data-driven benefits platform for growing businesses” promising to simplify benefits selection for employers and employees. Employees are asked to provide health data, which are compared with aggregate profiles using proprietary algorithms. The big question: Will employees see enough benefit to share potentially sensitive information?

Zenefits, recovering from widely publicized regulatory issues, has new leadership. The company acts a broker, and focuses on small businesses.

Collective Health is targeting a wide range of businesses via “ready-to-go,” “configurable,” and “advanced” solutions. The employee experience components of the offering are aimed at helping users make better-informed decisions with less hassle.

SimplyInsured aggregates health insurance plan options for small businesses to make comparisons easier, and aims to automate processes presumably essential to creating a viable cost structure for serving this segment.

See also: InsurTech Need Not Be a Zero-Sum Game  

A number of benefits consultants including Aon and Towers Watson (the latter via their acquisition of Liazon in 2013) offer larger employers private exchange capabilities – these include portals for employee benefits enrollment enabled by data analytics and a friendly user interface. They act as or engage brokers to create benefits plans tailored to employers’ goals. Such portals can be helpful to employees, and check a box for employers seeking to improve the benefits experience, not just reduce expenses.

Health Advocate, founded in 2002, is the largest example of a relatively new industry positioned to help patients navigate an increasingly complex system towards the right care and reimbursement. The question being raised around these solutions – although as the de facto advocate within my own family I’d love to have a professional advocate to whom I could outsource – is whether they are a workaround adding yet another layer of expense to an industry that earns among the worst customer satisfaction scores of any. As an employer, however, it’s a benefits option that could be valuable given the stress of managing the health care process many employees undergo.

Motivating people to adopt healthier habits

Vitality, reported on in an earlier post, is a cobranded platform offering deals and rewards designed to motivate people who take steps towards better health. Hancock offers the HumanaVitality program, integrating Vitality’s rewards program into the insurance relationship. If people see near-term benefit to behavior change this could be a good use case upon which to build.

Facilitating patient payments to providers

Patientco is a “payments hub” supporting “every payment type,” “every payment method,” “every payment location.” Focus is on efficiently increasing revenue for providers, secondarily to improve the payments experience for patients. The company provides the ability to integrate its solution with other health technology solutions.

Providing better experience capabilities to carriers

Zipari is a customer experience and CRM platform providing a product suite including enrollment, billing, and a 360-view of members across engagement channels. The company targets is product line at insurers, both direct-to-consumer and group or employer channels.

See also: Be Afraid of These 4 Startups

The multiple miracles that would have to occur for a quick fix make it unlikely that we will see a simple, logical health insurance experience any time soon. We are relatively early in what is likely to be a long game. But, insurtech innovators and even more mature companies operating within and around the sector are demonstrating the capacity to go after the possibilities that data, technology and the ability to see creative solutions offer to mitigate the pain.

Dark Web and Other Scary Cyber Trends

We have all heard the continued drum beat regarding hacking. Anthem, Sony, Target, Home Depot, Experian and various government and military branches have all been hacked and have received their fair share of negative press. In each case, people were harmed, leaders were fired, brands were damaged and no one was really surprised.

I am not a singularly focused cybersecurity expert, but I have been up to my neck in tech for 30 years and have a knack for seeing emerging patterns and macro trends and stitching those together to synthesize consequences and outcomes. In the case of the Dark Web, none of that is good news; The emerging patterns should worry us all. As English historian (1608-1661) Thomas Fuller wrote, “Security is the mother of danger and the grandmother of destruction.”

See also: Best Practices in Cyber Security

Below is my list of the “Top 10 Scary Macro Cyberthreat Trends” –and this is still early days for them.

1. The Dark Web Pareto 

Over the last decade, the hacker population has gone from 80% aficionados/hacktivists/deep-end-of-the-pool techies and 20% professional criminals to 80% professional criminals and 20% “other.” To be clear, by “professional criminal” I mean organized criminals who are there for the money, not just to someone who broke the law.

2. “Lego-ization” of the Dark Web

Over the last few years, technology in the Dark Web has been changed from intricate, end-to-end hacks to a place where one merely assembles “legos” that are commercially available (albeit inside an anonymized criminal environment.) People don’t just buy tool kits with instructions but also the ability to buy “lego-ized” services like illicit call center agent time for more complex criminal activities such as getting access to someone’s bank account. Parts of the Dark Web look like IKEA without the assembly difficulty or the inevitable leftover parts.

3. The Dark Web embraces the capital-lite approach

Of course, the Dark Web has embraced the cloud-computing model for the reasons we see in the enterprise world. What this means to the criminal hacker or, more likely, hacker organization, is that they can now go asset-free and rent the assets they need when they need them.

For example, there are services for running a few hundred million password permutations in less than an hour for a few hundred dollars. Hackers no longer need to infect a massive amount of computers to fire up a denial-of-service hack; they can simply rent time on a botnet, a massive amount of “hijacked” computers up for sale in the Dark Web. Most companies still do not have a botwall to deflect bots.

Gameover ZeuS is a massive example of a botnet with one variant able to generate 10,000 domains a day with more than three million zombie computers — just in the U.S. Botnets are sometimes referred to as “zombie armies” (surely there’s a TV series in there somewhere.) The Bredolab botnet may have had as many as 30 million zombie computers.

See also: Demystifying “The Dark Web”

4. Clandestine versus brazen 

The bragging rights for revealing a hacking “accomplishment” was once a hallmark of this space. Over the past decade or so, that factor has greatly diminished. The criminal enterprise would like nothing more than to go unnoticed. The recent massive Experian hack only came to light after the Secret Service let Experian know some of its stuff had been found for sale in the Dark Web. Focusing on avoiding detection by adopting smarter methods, targets, distribution models and revenue capture is better business and is in line with a longer, sustainable view of profit. None of the criminal organizations have boards of directors that pressure them to hit the quarterly sales and operating income figures. A hack is not a moment in time; if a hacker can go undetected, he or she can milk the hack for years. This is worrisome.

5. The total available market has grown and is target-rich 

The target space for crime connected to an IP node has grown tremendously, and so has the value of the content. The massive increase in mobile IP addresses, the online transactions we do and IP-related things like stored value cards or mileage points makes a rich target for crime. It is 100x bigger than what it was just 10 to 15 years ago.

The target space’s growth is accelerating. After banking regulations on the minimum size of banks were relaxed in 1900, 2,000 banks were added in two years along with growth in the relatively new credit union sector. This increase in “target space” spawned bank robbers. The target space for Dark Web crime loves the increase in the target area and doesn’t mind that the “banks” are smaller. The number of people using the Web and the average amount of time spent on the Web continues to increase. I think with the advent of things like the Internet of Things, 5G, Li-Fi and a quantum leap in cloud computing capacity per unit cost, this increase will accelerate.

6. Small many versus big few 

Over the past decade, the trend in conjunction with the above items moved toward smaller “heists” but a lot more of them. Someone in Venezuela took $2 a month off my credit card for 18 months before it stopped. How many people would miss a dollar or two off a stored value card/account that has an auto-refill function like my Skype account does?

What sort of statistical controls would you put on your revenue flows (as a business) to even recognize that leakage? Of course, there are still big hacks going on, but a lot of those are just the front end of a B2B transaction that then sells off that big pool of hacked data to buyers in the criminal bazaar. Small, often and dispersed is harder to catch and more clandestine by nature.

7. Automation of the Dark Web

Timing is everything. As the Dark Web evolved into a scale-based, organized criminal environment, it leveraged modern automation from provisioning to tool sets to communications and even to billing.

Blackshades creepware is a great example of automation extending into the consumer product end. Available for $50, it has a point-and-click interface and has internalized all of the complexity and has automated hacking even for actors with very low-level tech skills. It allows the bad actor to browse files, steal data/passwords and use the camera (often relating to extortion). Blackshades infected more than 500,000 computers in more than 100 nations. A lot of the people who bought this did not have the skills to do any hacking without this kind of automation.

8. Tech getting better, faster, cheaper while talent improves

Late last year, TalkTalk, an ISP quad-play provider in the U.K., got hacked and held for ransom by four teenagers. The company estimates $90 million of cost tied to this hack, and no one really knows what the cost of the brand damage has been. There’s also a third of the company’s market cap gone, and it lost 95,000 customers. In all fairness, TalkTalk’s security was poor. The point here is that the technology in the Dark Web is getting faster, better and cheaper. At the same time, the average talent level is rising, which may not be the case in the non-criminal tech world.

There are three factors at play:

  1. Communities of collaboration and learning are becoming commonplace. Blackshades is a great example of a malicious tool with a super-low point of entry (price and tech skills) backed up by great online help and a community site.
  2. The likes of the Metropolitan Police Cyber Unit (London), the FBI, Interpol, etc. are all very effective and are continually improving organizations that stop crime and lock up cyber criminals. In some ways, this is a culling of the herd that also serves to create a positive Darwinian push on the average talent in the Dark Web.
  3. The giant upside financial opportunity to using tech skills for nefarious purposes creates a big gravitational pull that is only enhanced by recent economic and national turmoil, especially in places like Eastern Europe, Russia and Ukraine. In addition to that, state-sponsored or affiliated hackers with military-like rigor in their training can often make money moonlighting in the criminal world.

The combination of forces raising the talent level and the continued improvement of technology make for a bad combo. The Dark Web is also embracing open sourcing. Peer-to-peer bitcoin-based plays may become the next dark commerce platform.

9. The Dark Web itself

The Dark Web has evolved over the past decade or so from a foggy, barely penetrable space to a labyrinth of loosely connected actors and now to a massive, modernized bazaar thriving with commercial activity with a huge neon sign on the front door saying “Open for Business.” It is not just a bazaar, it is a huge B2B marketplace where the best criminals can resell their wares whole or in “lego-ized” pieces. Some of these criminals even offer testimonials and performance guarantees!

The Dark Web has moved from what economists call “perfect competition” to a more imperfect model trending toward oligopoly. In simpler terms, it is not a sea of malevolent individuals but, rather, the domain of organized businesses that happen to be largely illegal. These are organizations of scale that must be run like a business. This new structure will evolve, adapt and grow so much faster than the prior structure because these organizations have mission-focus and cash-flow pressures. Of course, the market forces common in a bazaar will winnow out low-value and defective products quickly, simply because word travels fast and customers vote with their wallets. 

10. The truly ugly “What’s next?” section

Like many thriving businesses, there is a tendency to move into adjacencies and nearby markets. This has already happened.

There is a lot of money in fiddling with clickstreams and online advertising flows. Bots account for about 50% of the traffic on the Internet; of those, about 60% are bad bots.

There is money to be made in transportation. One can buy fake waybills on the Dark Web to ship a crate to, say, Kiev at a fraction of the price FedEx or UPS would charge, even though the package will travel through FedEx or UPS.

Here are four emerging and even more worrisome areas that could be leveraged (in a bad way) by sophisticated, tech-savvy commercial criminal enterprises that are alive and thriving today in the Dark Web.

  • Internet of Things – It is just the beginning for the IoT. If you click here, you can read a paper on what may drive the amazing growth and where the potential is. The available talent who know how to secure devices, sensors and tags from hacks and stop those hacks from jumping five hops up a network are few and far between, and they don’t normally work in the consumer and industrial spaces that make stuff and that have decided to make an IP-enabled model. Few boards in the Fortune 500 can have an intelligent conversation about cybersecurity at any level of detail that matters. In short, over the next few years, IoT may be a giant hunting ground. For instance, what if a hacker goes through the air conditioning control system to point-of-sale devices and steals credit card info? That is a target with a big bull’s eye on it. (That is what happened to Target.)
  • Robotics – This is a little further out, and the criminal cash flow is a little harder to predict, but IP-connected robots is a space that will grow exponentially over the next decade and be at key points in manufacturing, military and medical process flows. What is the ransom for holding a bottling plant hostage? The Samsung SGR -1 (no, not a new phone) is a thermal imaging, video-sensing robot with a highly accurate laser targeting gun that can kill someone from 3,000 yards out. The Oerlikon GDF005 is a less-sophisticated antiaircraft “gunbot” that is, in part, designed to be turned on and left to shoot down drones. These things are both hackable. 
  • Biochem – What if some of the above Dark Web trends extend into this area, renting assets and expertise, point-and-click front-end designs? The bad news is that this seems to have started. 
  • The over-the-horizon worries – Nanotech, Li-Fi, AI, synthetic biology, brain computer interface (BCI) and genomics are all areas that, at some point in their evolution, will draw a critical mass of criminal Dark Web interest. The advances in these areas are at an astounding pace. They are parts of the near future, not the distant future. If you have not looked at CRISPR, google it. Things like CRISPR, coupled with progressively better economics, are going to supercharge this space. Li-Fi, coupled with 5G and the IoT (including accelerated growth in soft sensors), will create a large target space. The Open BCI maker community is growing quickly and holds enormous promise. Take a look at the Open BCI online shop and see what you could put together for $2,000 or  $10,000. The Ultracortex Mark IV is mind-blowing (not literally) and only $299.

All of this is going to get worse before it gets better. This is clearly not a fair fight. This is a target-rich environment that is growing faster than almost anyone anticipated. The bad actors are progressively getting better organized, smarter and better built for “success.” Interpol, the FBI and other law enforcement agencies do great work, but a lot of it is after-the-fact.

Enterprises need new approaches to network-centric compartmentalized security. New thinking about upstream behavioral preventative design is needed for robustly secure IoT plays.

National organizations in law enforcement and intelligence need to think through fighting a borderless, adaptive, well-funded, loosely coupled, highly motivated force like those under the Dark Web umbrella. Those national organizations probably need to play as much offense as defense. Multiple siloed police and intelligence units that are bounded geographically, organizationally, financially and culturally probably will start out with a disadvantage.

This article was originally published on SandHill.com. The story can be found here.

What Should Prescriptions Cost?

In the prescription benefit world, there seems to be surprise that Anthem filed an unprecedented lawsuit against Express Scripts, stating that Anthem has been overcharged by more than $3 billion annually over the existing 10-year contract term.

The eye-popping damages claim was certain to garner headlines as was the fact that, after months of discussions, a major health insurance company followed through on its threat of legal action against a major pharmacy benefits manager (PBM). What people should really be talking about, however, are these two key questions:

1. How did Anthem, a sophisticated health insurance company, get into this situation with a PBM?

2. Is my employer, which is not a sophisticated health insurance company, in the same boat as Anthem?

Right now, everyone is starting to question what their prescriptions really cost.

It appears Anthem may be in a position to argue over a number of issues, including ill-defined contract terms (such as “competitive benchmark pricing”) that its legal team apparently agreed to when it executed its PBM contract. One phrase within the 100-plus page contract the two companies intended to govern their 10-year agreement could potentially become center stage in this lawsuit. Anthem’s CEO has repeatedly used the word “overcharged,” which is a relatively vague term that would need to be more clearly defined and argued should this case ever go to trial (which I don’t believe it will). Neither company wants to air the details more publicly than it already has. A more sensible path—to agree to disagree and craft a financial arrangement to resolve the issue—will most likely prevail.

Ironically, 2015-year end industry reporting shows that growth in drug spending is comparable to the other parts of the healthcare system. In fact, for many employers, increased prescription volume was a larger factor in cost escalation than actual drug price increases. This increased volume is a good sign, because increased pharmaceutical spending generally decreases overall medical spending. Employers that are willing to tightly manage their prescription drug program should be able to achieve spending increases of no more than 3.3% and as little as 0%.

However, without the implementation of a system to guarantee what you purchased and what you continue to pay, you will find yourself in Anthem’s boat — with even less leverage.

Spear Phishing Attacks Increase

Spear phishers continue to pierce even well-defended networks, causing grave financial wounds.

Spear phishers lure a specific individual to click on a viral email attachment or to navigate to a corrupted Web page. Malicious code typically gets embedded on the victim’s computing device, giving control to the attacker.

A recent survey of 300 IT decision-makers in the U.S. and the U.K.—commissioned by threat-protection solutions provider Cloudmark—found that a spear-phishing attack penetrated the security defenses of more than 84% of respondents’ organizations.

Free resource: Planning ahead to reduce breach expenses

Spear phishing continues to turn up time and again as the trigger to massive network breaches, including widely publicized attacks on JPMorgan Chase., eBay, Target, Anthem, Sony Pictures and the U.S. Office of Personnel Management.

“Criminals have achieved high success rates with spear-phishing attempts, and that success is breeding even more attempted attacks,” says Angela Knox, Cloudmark’s senior director of engineering and threat research.

knox
Angela Knox

Respondents to Cloudmark’s survey said that, on average, their organizations lost more than $1.6 million from spear-phishing attacks during the 12 months before the survey.

Spear phishers install malware, seek privileged access accounts and scour breached networks for confidential business plans, information about current negotiations and other valuable data. And the attackers are in a position to manipulate, disrupt or destroy systems.

Related video: CEO fraud caper nets $450,000

Attacks on banks, credit unions and professional services firms that help conduct financial transactions often focus on persuading employees to wire money to the phishers’ accounts.

“Even if the money can be recovered, it takes time and effort to recover it,” Knox says. “In one high-profile incident, a company lost $46.7 million due to email spoofing.”

Resist oversharing

One reason spear phishing persists is because people reveal a wealth of personal and behavioral data on the Internet. Attackers tap this information to profile victims and create email and social media messages crafted to appear to come from a trusted source—in a context that puts the targeted victim at ease.

The end game: Get the person to open a viral email attachment or click to a malicious Web page.

“Everyone is now a target, and users can no longer depend on spelling mistakes or random scams,” says Chester Wisniewski, senior security adviser at antimalware vendor Sophos.

Peter Cassidy, secretary general of the Anti-Phishing Working Group, an international coalition fighting cyber crime, says spear phishers in recent years have gone to greater depths in focus and planning.

Peter Cassidy, Anti-Phishing Working Group secretary general
Peter Cassidy

“These days, it’s not uncommon to see an attack that targets specific personalities for their access within an enterprise and loads a malware payload to execute an exploit that will open a pathway the attackers are waiting for—and will use to gain access to data they prize,” Cassidy says. “Talk about orchestration! Stravinsky and these guys would have a lot to talk about.”

Employees part of solution

A primary defense is to continually train employees to be vigilant, and a cottage industry of training services and technologies has arisen in recent years to assist companies of all sizes. But even trained employees remain susceptible to sophisticated trickery.

Nearly 80% of organizations surveyed by Cloudmark reported using staff training to prevent attacks. Of organizations that test their employees’ responses to spear-phishing attacks, only 3% said that all employees passed. Respondents estimated that 16% of staff members failed their organizations’ most recent spear-phishing tests.

“Humans are flawed,” Wisniewski says. “You can never stop spear phishing entirely,” because “it is not a technical problem that can be solved.”

It’s human nature for employees who spot something wrong or who believe they may have been tricked to hesitate reporting the incident. Yet quick reporting is a key to remediation. “Accidents happen, but detection and remediation are more successful the less time the criminal has to take advantage of your errors,” Wisniewski says.

info

This post was written by Gary Stoller.