“The Q&A with an AI Series” was inspired while working with an AI on cybersecurity. The team at Drip7 wanted to know what AI “thought” about certain issues and the information it would gather if asked a more conversational question. What resulted, instead of being turned into an “article” that anyone would claim credit for creating, has inspired a version of “Ask Miss Manners” but with an AI about cybersecurity. We at Drip7 hope you enjoy the humor of asking technology about technology and getting feedback to help improve cybersecurity from the same tool that is making the job of cybercriminals easier.
Drip7 Asked: One of the biggest weaknesses of cybersecurity systems is time. Social engineers use it against targets to get them to comply with requests that violate company policies. Companies often don’t allocate enough time to tasks to include adequate cybersecurity practices. And employees are already overworked and lack sufficient time to properly go through all the steps to fully follow cybersecurity best practices. How can I help organizations see this issue, and what can I suggest to them to improve it?
AI Answered: To help organizations see the issue of time as a weakness in their cybersecurity systems, you could present them with concrete examples of how social engineers have successfully exploited this weakness in the past. You could also show them statistics and reports that illustrate how much damage can be done in a short amount of time when cybersecurity practices are not followed.
To improve the situation, you could suggest the following:
1. Providing regular cybersecurity training sessions for employees that include time-saving tips and best practices. This can help employees become more efficient with their time while still adhering to cybersecurity guidelines.
2. Encouraging the use of automation and other technological solutions to help reduce the time and effort required to complete cybersecurity tasks. For example, implementing two-factor authentication or password managers can help employees save time while still keeping their accounts secure.
3. Making cybersecurity a priority at the highest levels of the organization. By showing a commitment to cybersecurity, senior leadership can set the tone for the rest of the organization and help ensure that employees have the time and resources they need to properly follow best practices.
4. Conducting regular assessments of the organization’s cybersecurity posture to identify areas where time is being wasted or where processes can be streamlined. This can help identify areas where changes can be made to save time without compromising security.
By taking these steps, organizations can better allocate time to tasks that include adequate cybersecurity practices while still allowing employees to be efficient in their work.
Drip7 Asked: Ok, so give me some concrete examples of how social engineers have successfully exploited this lack of time via a sense of urgency.
AI Answered: Social engineers have used a sense of urgency to manipulate individuals or groups into performing actions that they would not have otherwise done. Here are some concrete examples of how social engineers have successfully exploited this lack of time via a sense of urgency:
1. Phishing Scams: Phishing scams are a common tactic used by social engineers to obtain sensitive information such as login credentials or credit card details. In many cases, these scams involve creating a sense of urgency by posing as a trusted source such as a bank or government agency and urging the victim to take immediate action to avoid consequences such as account closure or legal action.
2. Tech Support Scams: Tech support scams involve the social engineer posing as a technical support representative and claiming that the victim’s computer or device is infected with a virus or malware. The scammer then creates a sense of urgency by urging the victim to download a software or provide remote access to their computer to fix the problem immediately.
3. Impersonation Scams: Impersonation scams involve the social engineer posing as someone the victim trusts such as a friend, family member, or colleague. The scammer then creates a sense of urgency by claiming to be in a dire situation and urgently needing financial assistance.
4. Social Media Scams: Social media scams involve the social engineer posing as someone the victim knows or trusts and requesting urgent assistance. For example, a scammer may create a fake profile and pose as a friend or family member in distress and urgently requiring financial assistance.
5. Ransomware Attacks: Ransomware attacks involve the social engineer infecting a victim’s computer with malicious software that encrypts their files and demands payment in exchange for the decryption key. The attackers create a sense of urgency by setting a deadline for payment and threatening to permanently delete the files if the victim fails to comply.
These are just a few examples of how social engineers have exploited a sense of urgency to manipulate individuals into performing actions that are against their best interests. It is important to remain vigilant and skeptical of urgent requests or demands for action, especially when they come from unknown sources or involve sensitive information.
Drip7 Asked: Alright, those are good. What are some statistics and reports that illustrate how much damage can be done in a short amount of time when cybersecurity practices are not followed?
AI Answered:: There have been numerous incidents in recent years that illustrate the damage that can be done in a short amount of time when cybersecurity practices are not followed. Here are some statistics and reports that highlight the severity of the problem:
1. The average cost of a data breach: According to a report by IBM Security, the average cost of a data breach in 2020 was $3.86 million, with an average time to identify and contain a breach of 280 days. This represents a significant financial and reputational cost to organizations that experience a breach.
2. The rise of ransomware attacks: Ransomware attacks have become increasingly prevalent in recent years, with the average ransomware payment increasing from $5,000 in 2018 to over $170,000 in 2020, according to a report by Coveware. Ransomware attacks can cause significant disruption to business operations and result in the loss of sensitive data.
3. The impact of phishing attacks: Phishing attacks remain a significant threat to organizations, with 88% of organizations worldwide experiencing a spear-phishing attack in 2019, according to a report by Barracuda Networks. These attacks can result in the theft of sensitive data or financial losses for both organizations and individuals.
4. The cost of cybercrime globally: A report by Cybersecurity Ventures estimates that the cost of cybercrime globally will reach $6 trillion annually by 2021, up from $3 trillion in 2015. This represents a significant financial burden on both individuals and organizations and highlights the need for robust cybersecurity practices.
5. The impact of unpatched vulnerabilities: A report by Tenable found that 77% of vulnerabilities had a known patch available at the time of exploitation in 2020. This highlights the importance of promptly patching known vulnerabilities to prevent cyberattacks.
These statistics and reports illustrate the significant damage that can be done in a short amount of time when cybersecurity practices are not followed. It is critical for organizations and individuals to prioritize cybersecurity and take steps to mitigate the risks associated with cyberattacks.
You can read all of the parts of this series here:
Q&A with AI Part I: Measuring the Effectiveness of Cybersecurity Awareness Programs
Q&A with AI Part II: The Time Cybersecurity Takes…
Q&A with AI Part III: The Trouble with Phishing…
References:
- Due to the AI’s limited access to current statistics, the Human looked up the current stats. In 2022, the average cost of a data breach in the US, according to IBM, was $9.44 Million unless you’re in healthcare, and then it’s $10.10 Million https://www.ibm.com/reports/data-breach
- According to Astra, in 2023, ransomware accounts for 10% of breaches with an average cost of $1.85 Million. They estimate a ransomware attack will occur every 2 seconds by 2031. https://www.getastra.com/blog/security-audit/ransomware-attack-statistics/
- 50% of organizations analyzed were victims of spear phishing in 2022, and a typical organization received 5 highly personalized spear-phishing emails daily.” Spear phishing attacks make up only 0.1% of attacks but are responsible for 66% of breaches. https://blog.barracuda.com/2023/05/24/2023-spear-phishing-trends/
- “The global annual cost of cybercrime is predicted to reach $8 trillion annually in 2023,” with 80% of cybercrime coming from phishing attacks. https://www.getastra.com/blog/security-audit/cyber-crime-statistics/
- These data points still are the most recent and cited — but it remains a massive risk.