from the so-why-do-we-need-information-sharing? dept
But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.In fact, the real problem tends to be that people are still easily fooled by phishing emails:
In the best-known annual study of data breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry's term for trick emails.And, then, of course, if the IT staff hasn't done much to secure things inside the gates, the hackers get the run of the place.
Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.
Stopping phishing is definitely a difficult problem, but it's difficult to see how that's one that's solved by giving the NSA more of our data. Of course, none of this should be new or surprising if you spend any time at all in online security realms. "Social engineering" has always been the most effective way to get into systems. But hyping up the fact that people are gullible and can be tricked into giving up their passwords isn't very sexy and doesn't get big companies and governments to shovel hundreds of millions of dollars at solutions. Freaking people out about sophisticated technology (that isn't nearly as effective) being used to launch hack attacks seems much sexier (and profitable).