Cybersecurity Training: Plenty of Phish in the Sea.
In a world of increasingly sophisticated cyber threats, it pays to know your zero days from your APTs. Nevertheless, the growing arsenal of cyber weapons pales compared to breaches caused by another more familiar means: human error. In this article, we offer insight into protecting your business and hard-earn reputation in Cybersecurity Training: Plenty of Phish in the Sea.
Safeguarding against evils such as phishing scams and social engineering is as much about people as it is about tech. While not an excuse to divest from your cybersecurity infrastructure, it is a call to action to educate and empower your team.
According to an IBM Cybersecurity Intelligence Index Report, investigating thousands of breaches in 130 countries, human error was the main contributing factor to security breaches.
‘Human error was a major contributing cause in 95% of all breaches’
Since this report, there have been various findings corroborating these conclusions. In light of this, what can be done to protect your business? In this article, we explore the measures you can take to minimise your risks and tasks you can implement to help staff navigate cybersecurity dangers.
Phishing Scams
Phishing is broadly defined as an attempt to acquire sensitive data by impersonating a customer or a trustworthy figure via email. While phishing is a scattergun approach, businesses can be targeted in a focused attack. This approach is called spear phishing.
According to a report by our partners ConnectWise, here are some of the common techniques used in phishing scams:
- Embedding links to unsecured websites requesting sensitive information
- Malicious email attachments
- Spoofing the sender address to impersonate a reputable source
Cybersecurity Training: Phishing Attack
- Don’t reveal sensitive information – never reveal personal information i.e. passwords or financial information
- Check website security measures – an ‘HTTP’ indicates the domain has not applied for security measures however, ‘HTTPS’ is a sign it has
- Be aware of website URL variations – be wary of different spellings of domain names. Pay close attention to whether the URL has been altered in some way to masquerade as a trusted sender
- Verify suspicious emails by reaching out directly to the business – should you receive an email requesting information, reach out through other means to verify before any transaction takes place
- Update and protect – periodically update your operating system, software and web browser. In addition, install robust antivirus and malware protection
Social Engineering
In addition to phishing, there is a threat of a more personal and persuasive variety: social engineering. Rather than trying to guess passwords, cybercriminals often take advantage of personal vulnerabilities instead. Below are some social engineering techniques to be aware of:
- Pretexting – the creation of a narrative to elicit the trust of the target. Consider this scenario: a call comes into the front desk at your bank. They claim to be a remote worker and have an access issue, they bemoan the timing of the problem as they have an important task due. Subsequently, they will need the issue resolved as soon as possible and apply considerable pressure on the front desk team to resolve it. This example has the front desk on the back foot due to the time sensitivity of the problem and the believable pretext of the remote worker.
- Baiting – when an attacker bargains with an employee for the exchange of sensitive information. Imagine a malicious actor offering an employee access to their next salary increase. The information the employee requires can be found on a USB device they have found. After some persuasion, the employee gives in to temptation, plugs the device into their computer and now the attacker has access.
- Impersonation – the invention of an authority figure or impersonation of an authority figure, to gain trust and access to an account.
- Spear phishing – unlike phishing, spear phishing is a targeted attack on an employee or organisation. In this context, an attacker with have gathered some information to make them more convincing. Often this involves the name, address or job title of the victim.
Targeted Attacks
In 2020, the French Engineering company Altran Technologies were the victim of a spear-fishing attack. The cybercriminals impersonated the boss and CEO of the company to request a payment order from finance. To gain their trust, the attacker recreated an identical payment portal and invoice. Consequently, a member of the finance department approved the payment, resulting in a $3.6 million loss for the company.
Human error has been at play in this example. To avoid these attacks, a stringent verification procedure is a must, alongside cybersecurity awareness training for the frontline staff likely to encounter these scenarios. Unfortunately for Altran Technologies, their attackers effectively targeted specific employees and took advantage of their vulnerabilities to achieve their aims. Therefore, highlighting the potential damages caused by practised and ruthless spear-fishing.
Cybersecurity Training: Social Engineering
Businesses can arm themselves with preventative tactics:
- Staff cybersecurity training – training enables staff to better recognise suspicious behaviour and therefore, offers the best course of action to avoid them.
- Two-factor authentication – this offers an added layer of security for accounts and increases the difficulty for attackers to gain access
- Strong password policy – implementing a company-wide password policy goes a long way to establishing a strong defence against brute-force password hacks (see our article for more information)
- Access controls – assigning access based on job roles can reduce the blast radius of an attacker accessing your systems.
- Security software – investing time/money into researching and purchasing relevant security products is a crucial part of modern business’s cybersecurity strategy
- Disaster response – settle on an agreed protocol for the event of an attack and train your workforce to cooperate on an agreed response
- Physical security – setup security cameras to monitor and protect areas where sensitive information or expensive equipment is stored
Cybersecurity Training for C-Level Professionals
- Two-factor authentication – this is more important for professionals who have access to highly-sensitive data
- Regular cybersecurity training – run threat scenarios and simulate attempts to gain unauthorised access. As a consequence, your team can be aware of threats and you can implement an effective threat protocol
- Spam filters – equip your business with up-to-date spam filtering software to gatekeep staff email inboxes
- Monitor logs – keep an eye out for suspicious activity i.e. multiple failed login attempts, access from unusual locations
- Disaster protocol – in the event of a phishing attack, setting an agreed protocol is vital. Create reporting procedures, isolate affected systems and delegate the roles and responsibilities company-wide
- Update and refine – stay informed on the latest cybersecurity protocols and threats so you can protect your business into the future
Conclusion
Achieving robust security is a layered and accumulative process. The problem is not just about the technology, it’s also about the people who interact with it. Alongside the preventative measures such as two-factor authentication, password policy and disaster protocol; staff training is equally as important. Parallel to these efforts, businesses are adopting proactive and iterative cybersecurity training processes. Without this approach, futureproofing your reputation and profits may become fraught with risk and possible disaster.
If you require an experienced and knowledgeable IT consultation, our experts are waiting to hear from you. We have product and service offerings to neutralise potential threats, empower your workforce and protect your business. Fill out the form below to get in touch.
