Why inertia and disinterest are the internet criminal’s best friend

You’d think that two of the biggest tech companies in the world would have a tight guard when it comes to cyber security.

And yet, between 2013 and 2015 a Lithuanian man was able to steal more than $100 million from Google and Facebook.

How? By emailing them and asking for it.

Evaldas Rimauskas set up a fake business and sent phishing emails to employees at the tech giants, pretending to work for a Taiwanese firm that was doing business with both companies at the time.

Forged invoices, convincing emails, and well-targeted attacks on employees used to authorising big transactions were among the ingredients for this successful sting.

Hackers target people, not tech

The truth is, most cyber scams don’t have much to do with the nuts and bolts of technology. 

Knowing how a virus spreads through your network isn’t going to stop it getting there in the first place. And it wouldn’t make you any less susceptible to becoming a victim, which is why you see hackers taking on everyone from the world’s biggest tech companies, to power plants, governments, and thousands of small businesses every year.

Hackers target people. They persist until those people make a mistake. And people make the most mistakes when they get complacent.

Attacks like the one that worked on Facebook and Google tend to be successful because they strike at the right people, in the right place, and (often with a bit of luck) at the right time.

Attacks like these depend on principles and conditions that exist in organisations of all kinds. 

Principles like ‘if your boss says something’s urgent, then it’s urgent – you don’t stop to question it.’ Even if that urgent request involves sending huge amounts of money to a phony business bank account.

These attacks don’t exploit technical security vulnerabilities. They target weak spots in the human firewall: the defences offered by employees.

Building a human firewall

You’re not going to stop hackers from attacking. But there’s plenty you can do to reduce their chances of success.

Ultimately, you need to create a culture that holds cyber awareness at its core. In practical terms, that means taking cyber threats as a serious, everyday concern. 

It means instilling habits like double-checking suspicious requests and verifying contacts, especially in the case of high-pressure, get-a-move-on situations.

But it also means ensuring employees aren’t so overstretched that they don’t have time to do the due diligence required for such requests.

Creating these habits requires embedding cyber security training and education at all levels of the business. 

Training should be accessible, interactive, and engaging. It should be held frequently and regularly – not simply as part of the induction process. 

Allowing inertia, complacency, and apathy to set in is a sure way to weaken your human firewall – and to make life easier for hackers.

The hacks you don’t hear about

Of course, Rimauskas was caught. And, embarrassingly for Facebook and Google, the world heard how easy he’d made it look.

The horror stories of hundreds of millions of dollars being stolen are the ones that keep CEOs and IT staff up at night. But clearly they’re not enough to stop people from being complacent about their cyber safety.

The stories you don’t hear are the ones in which employees did the due diligence, and ignored or deleted phishing emails. 

Admittedly, those tales are far less juicy. But we should be talking more about good cyber hygiene, and how to spot a fraud when they come knocking at your inbox. 

Conversations like these form the foundation of the human firewall, cementing awareness in everybody’s minds, and bolstering vital everyday defences.