It’s a simple con trick – but we keep falling for it.
Back in the mid-1990s, the word “phishing” popped up in an AOL forum to describe a basic email scam.
Dupe people with something that looks more or less authentic and they’ll click a link that installs malware on their machine or allows hackers through the virtual door to wreak havoc.
Over time, the simple scam has become ever more sophisticated and subtle – to the point where even experts find it hard to tell the authentic and bogus apart.
Intel-McAfee asked 100 cyber security professionals to take a test but they fell short, and not just a little short, a long way short. Only six of the experts managed to separate the bonafide emails from the bogus ones.
Most of the other experts could only identify six or seven out of 10 emails as being fraudulent or suspicious.
So if 94 out of 100 so-called experts were fooled even when they knew what to look for – what hope is there for us, the non-expert?
The impact on the workplace is severe
According to a PWC survey conducted for the UK government, half of the worst security breaches suffered by British businesses last year were caused by “inadvertent human error”.
And as email has become a primary route to break into businesses, we need a system that’s much better at judging digital risk than the human brain.
Say hello to behavioural biometrics
Last month Google’s head of advanced technology projects said that behavioural biometric authenticators would be applied to its Android mobile platform next year.
In plain English that means your mobile device could look at your location, your Wi-Fi network, the time – and even how quickly you were typing – to calculate risk based on your known patterns of behaviour.
Your “trust score” would vary depending on what you were trying to do at any given moment. The operating system might then decide to limit your access to a financial app or a gambling app even, but in the same circumstances allow access to a social media app. In other words, it would do more than nudge you in the right direction. It would actively prevent you from accessing apps or other software perhaps that it considered might facilitate risky behaviour.
It’s elementary my dear Watson
Meanwhile, IBM is starting to teach its supercomputer, Watson, about cyber security. In February 2011 Watson hit headlines around the world for beating two all-time human champions at the American quiz show Jeopardy.
It was the perfect demonstration of Watson’s ability to surpass the human brain in unravelling answers from disparate and seemingly unrelated fragments of information. Watson’s accomplishment was all the more astonishing precisely because it appeared to show a solid grasp of the idiosyncrasies of human language: puns, metaphor, similes, euphemisms and riddles.
This was the beginning of the era of cognitive computing: machines built to interpret, learn and apply that knowledge to solve complex problems.
Eighty per cent of information online is “unstructured” – a tangled mess of knowledge in different formats and places, from news or scholarly articles to blogs and eBooks. Cognitive computers are trying to make sense of that jungle of data and detect previously unseen – and perhaps previosuly undetectable – patterns and connections.
Forget winning Jeopardy; that was just a stepping stone – albeit an almighty one – today, Watson is drawing on IBM’s two decades’ worth of cyber security research and a library containing the details of eight million spam and phishing attacks and tens of thousands of other known vulnerabilities. Further, eight universities in the US and Canada have been enlisted to help build its knowledge of cyber threats and tactics.
Watson is becoming Holmes, learning how to detect identify and address cyber-threats when traditional tools like firewalls and antivirus are struggling to stay up to date.
Computers are conned too
Humans aren’t the only ones that cyber-criminals can trick. Computers aren’t perfect at spotting suspicious emails or malware: “misidentification” happens to man and machine.
According to the Ponemon Institute’s 2015 Cost of Breach Study: Global Analysis, malicious attacks can take an average of 256 days to identify. Data breaches caused by human error take an average of 158 days to identify.
Two-thirds of the time IT staff spend dealing with security alerts is spent on false-positives or false-negatives. So time is wasted on misidentification of a potential threat.
What we need is something much faster and more accurate at detecting threats and dealing with them: something faster and smarter than what’s already available.
While we wait for faster and smarter, the costs will continue to rise. According to a UK Government-backed report last year, the “starting point” for a large business to recover from a security breach – counting the cost of business disruption, lost sales, recovery of assets, and fines and compensation – is now £1.46 million. Small businesses fare a little better, for them it’s a mere £75,000 but neither business can afford the expense or the time or damage to their brand.
We need more Watsons, today
Think of the forthcoming wave of cognitive computers, like Watson, as the smartest assistants you’ll ever have.
They’ll know your working habits (and probably your personal ones too), your quirks and patterns of behaviour well enough to spot when something’s out of the ordinary and whether that’s nothing to be worried about or something to pay closer attention to.
They’ll never have an off-day, or perform below par. But they’ll also have unprecedented knowledge. If something has been published about cyber security at any point – from a blog to a PhD thesis – they’ll know about it and incorporate it into their bottomless databank. And they could apply that knowledge to what’s going on in the world, or your world, today – and even what’s happening right now.
What will be the long-term impact of cognitive systems like Watson and Google’s behavioural biometric analysis? For one, cyber-criminals will “find the payoffs to be harder and harder to achieve.” But for you? Well, you’ll have more time to focus on the work that matters – and less time worrying about whether or not you’re going to make a silly mistake.
Mike Foreman is a veteran of the cyber-security industry and European Managing Director of Nuro Secure Messaging: an enterprise instant messaging app with military grade security.