You may have heard that employees are the biggest cybersecurity threats to your business network. According to IBM data, human error is responsible for 95% of data breaches.
Personally, I think using the term ‘human error’ is a disservice to uninformed employees. Human ignorance is more appropriate. You can’t make an error if you are not aware that there is a right way of doing things. When you unknowingly do something a different way, you don’t make a mistake, you learn a lesson.
The IBM report underscores the need to ensure your employees are aware of cybersecurity threats. Making your workforce cyber resilient is just as important as investing in cybersecurity technologies.
Actually, it’s more important.
Today’s businesses typically use a variety of devices, software and cloud-based services together with owning multiple accounts which through which they exchange sensitive information.
All of these platforms are a potential gateway for threat actors to infiltrate your business network. Subsequently, cybersecurity awareness training could save your business.
Cybersecurity Awareness Strategies
We’ve now reached a point in the evolution of digitisation where cybersecurity awareness training is just as important as training employees on how to perform their job.
Ideally, the best approach to such training is to organise a comprehensive cybersecurity awareness program conducted by IT professionals to ensure your staff is fully aware of cyber threats.
Once the initial training has been given, it’s easier to keep your teams informed about the latest threats.
Failing that, you can create your own. We’ve given you some key starter points in this article and you will also find more in our piece on ‘how to train your staff in cybersecurity awareness.’
The level of cybersecurity awareness training your staff needs really depends on your firm’s compliance requirements, the role in your company and whether you store sensitive data belonging to third parties.
As a bare minimum, your staff should be aware of the types of cyber threats they will encounter. More importantly, employees should know how to identify cyber threats and what your company’s response process should be.
The starting point is to establish the perimeters of your IT security environment. For example, secure your most sensitive data. Cloud technologies such as ‘permissions’ help with this.
That said, your IT security awareness program should involve training relevant personnel on how to update security settings on networks and devices. Studies indicate that 27% of data breaches were caused by misconfiguration.
Hands-on training is the best way for most people to learn. You need to develop a program using actual case studies as examples. You should also periodically conduct secret exercises to measure the alertness of your staff.
Will anybody notice a fake cyber threat? How many did? How many didn’t?
It will also be worth your while for recruiters to raise the issue of cybersecurity awareness when they’re interviewing new recruits.
Cybersecurity Responsibility
Data privacy laws hold firms that fail to implement efficient cybersecurity defences accountable for data breaches. In the UK, companies will be fined for breaching General Data Protection Regulations (GDPR) and forced to inform affected parties.
Fines under GDPR are generally 2% of the company’s annual turnover. This shouldn’t really cause too much financial damage to most businesses. However, having to inform your customers their data has been stolen is likely to harm your business.
Almost two-thirds of UK consumers say they would stop using a business that has been hit by a data breach. 60% of small businesses don’t survive beyond six months following a data breach. A damaged reputation makes it difficult to earn the trust of customers.
If you’ve been stalling over providing cybersecurity awareness to your staff, let it sink in that your business continuity is at stake if you suffer a data breach. Your staff should know this as well because if they make a “human error” that gets talked about so often, they will be out of a job.
The Office for National Statistics (ONS) shows that 39% of UK businesses experienced at least one cyberattack in the past 12 months. The less prepared you are to deal with the threat, the more you risk suffering a data breach.
Cybersecurity threats arrive through various channels and in different formats. In almost every case, however, the gateways between your business network and malicious actors is your employees.
“Spoof” Phishing
Phishing attacks are by far the most common technique deployed by hackers. 91% of phishing attacks are delivered through email. These types of attacks prompt the target to click on a malicious link or download a document that is infected with malware.
The good news is that the majority of phishing emails are easy to identify. They arrive as basic emails with zero attempts to make them appear as though they are from a company or institution.
Moreover, the emails are clearly written by someone that does not speak English as a first language. They may have spelling or grammar errors in them or just a terrible story such as”
“I am a Nigerian Prince and I’m pleased to announce you have won $10,000. To claim your prize click the link below.”
We’ve all seen that one.
However, hackers are becoming more sophisticated. Not only have they brushed up their stories, spelling and grammar, but the email designs have also improved significantly as well. So much so that some emails appear as though they are from authentic sources.
These types of phishing campaigns are called spoof emails. The technique is called ‘spoofing’, Typically spoof phishing attempts are designed to make it appear as though the sender is HMRC, Apple, Google, Amazon, a bank, British Telecom etc.
The content will normally say something is wrong with your account and prompt you to click a link to resolve the issue. Spoofing emails from government bodies or banks may get you to fill out a form with your personal information on it or send money.
Here are some examples of spoofed emails purportedly originating from HMRC.
More good news: it is possible to identify spoof emails. The most obvious place to look is the sender’s email address. Even the most sophisticated hackers can’t spoof a real email address that is owned by an existing company.
Malware Attacks on Personal Devices
Malware is a varied term for malicious code that encompasses a bunch of cyber threats such as trojans, viruses, worms, spyware and ransomware. The type of malware will determine the function it plays.
Hackers download malware onto a target’s device via the links and infected attachments that are typically sent via phishing emails described above. Once a device is infected, the attacker can use the malware to perform certain tasks.
For example, sophisticated malware will go undetected and find its way onto a business network. If it’s spyware, the virus will access files and send the contents to the hacker. This is a typical hacking technique used in corporate espionage.
Other types of malicious malware might destroy files or hide them by moving them to another folder. Most malware that is used to attack businesses aims to steal sensitive data.
In the hands of threat actors, sensitive data can be used as a bargaining chip in a ransomware attack or it will be sold to businesses that intend to use it for marketing purposes.
Malware will also eventually erode a hard drive, meaning the device will not function properly. The device will either crash on a regular basis, slow down or stop responding to functional commands.
If you allow employees to access your business network using their personal devices, it’s in your best interests to make sure they are aware of cybersecurity threats – for their own security as much as your company’s.
Malware attacks can be prevented by making your staff aware of phishing attempts and by placing endpoint protection on every device that has access to your business network.
How does malware get on a device?
Most malware is “DLL files” – a set of code and data for carrying out a particular activity on a device. Although there are several ways for malware to get onto a device, an action has to be performed by the device owner.
The most common channels hackers use to infect a device with malware is by getting the target to click a malicious link or download an infected file. This can be executed in any of the following ways:
- Downloaded onto a computer via a file-sharing site such as pdf promising secrets
- Performing illegal downloads such as films, computer games and books
- Clicking on malicious links sent via email, fake website ads or fake security pop-ups
- Downloading infected files onto a removable hard drive and using the drive with a device used for work
Malware in Trusted Channels
Threat actors have taken spoofing to the next level. In recent years, they’ve been hijacking email threads and communication tools. The strategy here is to target victims through trusted sources.
Springing the trust element means it’s easier to trick unsuspecting targets. When you know the originating source of a message, you are more likely to open attachments or click on links. This is why spoofing can be effective.
However, as mentioned above, even spoofing emails can be identified as fake and foiled. Hackers recently stepped up their game by hijacking email threads and messaging apps.
In the main, employees know not to trust suspicious emails or spam. Most people can easily identify a poorly constructed phishing attack. But what if the attackers use other familiar channels such as hijacked email threads, fake customer response forms and fake call centres.
A few months ago we reported that hackers were dropping malware into Microsoft Team chats. This is a new technique that may appear in other communication software or other trusted channels.
According to Avanan, the cybersecurity company that discovered the attacks, threat actors were using Microsoft 365 credentials sourced from earlier phishing campaigns.
This should raise an alert that previously infected accounts could still be compromised. If hackers deposited spyware on a device or a covert code that redirects password updates to compromised accounts, simply changing your password will not be good enough. You may need to scour the account or set up a new one.
Social Networks Present Cybersecurity Threats
Social networks have become a gold mine for hackers. It’s become the norm for people to use their personal information on social media platforms. it’s not difficult for hackers to collect this data and use them in social engineering exercises.
Attackers are most likely to target people that do not pay much attention to how they use social media. If your employees are frequent social media users, make sure they are aware of the type of information they divulge.
Important figures or personnel in key departments such as HR and accounts may also be targeted through social networks. Attackers use a technique called ‘spear phishing’ which seeks to earn the trust of their target or impersonate a trusted source.
For example, somebody working in accounts may receive an email that appears to be from the CFO instructing them to transfer a sum of money to an account. An invoice may be attached to make the email appear more authentic.
If a hacker gains control of a social network, one that is either connected to your business or a private account of your employee, they could use it as blackmail to pay a ransom. They could also use a compromised account to illicit information from colleagues listed as ‘friends’ on a hijacked social media account.
Vulnerable Software
Software that is released into the public domain eventually develops vulnerabilities. Software companies spend millions of pounds a year identifying potential flaws and creating code to “patch up” gateways.
Once a software update that includes a security patch has been released by the software company, it is the responsibility of businesses to ensure the update is executed on every device that supports the software in question.
That typically means relying on your employees to execute the update. Moreover, the update should be performed as soon as possible – the earlier the better.
When major software companies like Microsoft and Google release a security update, it’s usually reported by tech media. That means the vulnerability is available in the public domain – where hackers can learn about the vulnerability and get to work.
Yeah smart.
Employees that are aware of cybersecurity threats will be more inclined to update software in a timely manner. A safer option is to use patch management services offered by IT support providers. Patch management ensures devices are updated automatically and can be performed remotely.
IT Support Services in London
If you want to ensure your staff undergoes comprehensive cyber security awareness training and is consistently kept up-to-date with the latest cybersecurity threats, get in touch and speak with our IT specialists in London.
We’re available to provide cybersecurity awareness training in London, Glasgow, the southeast and surrounding areas.