What does the U.S. Department of Defense have in common with local town councils spread out all over the United Kingdom?

On any given day, both are under siege, on the receiving end of withering cyberattacks. For instance, on a daily basis the Department of Defense detects and repels around 36 million malware-laden emails sent by a motley assortment of hackers, terrorists and foreign adversaries.

If it keeps up (and there’s no indication that the barrage will stop) the Pentagon will be sent 13 billion weaponized emails in 2018. This stunning metric was recently disclosed by David Bennett, director of operations for the Defense Information Systems Agency, in an addressto the Armed Forces Communications and Electronics Association.

Meanwhile, a study released by the advocacy group Big Brother Watch reported that 395 local councils in the UK received an average of 19.5 million cyberattacks a year during the four years surveyed. That’s about 37 cyberattacks every minute, the vast majority in the form of email phishing attempts.

Criminal hacking continues to be on the rise, and social engineering is still the predominant way networks are breached and disrupted.

Humans continue to be the weakest link in any security protocol. Because of that, tricking an individual to assist in a network breach is still the most effective hack around.

Unwitting accomplices

The constant flow of phishing email at the Defense Department came as no surprise to Patrick Peterson, founder and executive chairman of messaging security firm Agari, which helps federal agencies deflect phishing campaigns.

Peterson says spoofing a federal agency or trying to infiltrate one remain the top two strategies phishing operations employ.

“More than one-in-ten emails sent on behalf of the government is fraudulent and nearly 90 percent of federal domains have been targeted by spoofing attacks,” Peterson says. “The only vertical that fares worse is healthcare.”

The goal is simple. Lure a potential victim into opening a malicious attachment sent via email, or trick them into clicking a link that lands them on a booby-trapped webpage. Spearphishers are more methodical; they first profile their targets, then send them refined messages that often don’t even carry a malicious payload.

Instead, the spearphisher’s art is to cajole the recipient into taking steps that achieves the desired result. So-called Business Email Compromise (BEC) scams are 100 percent social engineering (i.e., trickery). A one-off message is sent to a specific employee at an opportune moment, tricking the victim into wiring funds into an account controlled the scammer. The FBI estimates BEC scams have resulted in losses of more than $5.3 billion since 2013.

Likewise the theft and selective public outing of the Democratic National Committee’s emails by Russian hackers meddling in the 2016 U.S. presidential election revolved around a few targets that gained hackers deep access to the DNC’s databases.

Go-to vulnerabilities

Human gullibility, along with our propensity to overshare online, remain hackers’ go-to vulnerabilities.  “When an attacker combines knowledge of its target with timely, relevant information in a targeted phishing email, it’s only a matter of time before someone falls victim to the phish,” says Mounir Hahad, head of threat research at Juniper Networks. “One of the lowest barriers to entry is email.”

By that measure, the relentless campaign to break into local government systems in the UK seems perfectly logical. Data is a fungible asset. Valuable data is routinely collected and stored – but not terribly well guarded — by British local authorities. That’s an attractive target for hackers.

Sensitive data generated on behalf of public officials and ordinary citizens can be monetized in many different ways. Fraud scheme variants are endless. And the use of stolen data to manipulate public sentiment and voting, as we now know thanks to the last presidential race, is on the rise.

The Big Brother study found British local authorities have been subjected to at least 98 million cyberattacks between 2013 and 2017. About one-third of the local authorities–114 of them–experienced at least one cyber security incident. Stunningly, more than half of those councils admitted that they chose not to disclose the breach publicly.

What’s truly disheartening, however, is the finding that 297 authorities, or 75% of the British councils, admitted to not providing mandatory training in cybersecurity. These inconsistencies are not endemic to the U.K. They hold true for small and mid-sized organizations across the board.

It should not be this way. Too few organizations are realizing the benefits of embracing cyber incidence response planning; and not enough have implemented effective, recurring employee training. These are baby steps; in today’s environment, organizations of all sizes and in all sectors should be taking them. It’s high time to pick up the pace.