Beyond the infrastructure in place, what about employee education? What is your company doing to educate its team for recognizing and avoiding these sly, malicious tactics?
Human error. It’s an inevitable part of life and conducting business every day.
We’re only human, after all.
But such human error can be especially damaging in today’s cybersecurity climate. According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches. This means that employee negligence is generating a majority of cyber attacks. It's possibly only a matter of time before one of your employees is hoodwinked by human-manipulating tactics.
A few of these relevant terms to know:
- Phishing: An email-based scam using brand-name company logos to send emails to individuals to reveal personal information or click malicious links.
- Spear-Phishing: Similar to phishing, however specific individuals within a company are targeted for exploitation.
- Social Engineering: The term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
Email, not surprisingly, is still by far the most common vector for cyberattack, according to the Verizon report. How does an organization ingrain in its employees that if they Click it, They Risk it? Maybe you have a monthly cyber education class. Maybe you provide slides with helpful information and spread them across email channels.
But in 2019, maybe it’s time to ditch the Powerpoint and truly empower your employees.
Where to begin?
Endpoint Security is Not the End Game
Businesses today utilize endpoint security measures to thwart cyberattack. Firewalls, content filters, encrypted data and email, virtual private networks, antivirus, and anti-malware tools.
While these measures build a foundation for securing your company information, hardware does not account for human error, particularly when it comes to Social Engineered Attacks. This refers to a modern-day attack vector that uses the naivety of humans to infiltrate networks.
It’s a simple art of persuasion that manipulates employees into giving out confidential corporate information.
Tactics that Hoodwink Your Workplace Team
1. Spoofed Number
With social engineered attacks, it might be a phone call with a spoofed number, and it might say, ’this is Microsoft, and I’m calling to notify you that there is a bug outbreak in your area, I’ve been charged with the Little Rock area. I need to log into the computer and apply a patch.’ And then you give them your login information.
2. The Email from your “Boss”
An email from your “boss” to your HR person, requesting that he or she send all the W2s of all employees, in PDF form, to them to review.
3. If It Sounds Too Good to be True….
An email comes in from a hacker disguised as a legitimate client, requesting pricing for 500 hard drives, 200 memory sticks ASAP. Attached is a PO. The salesperson processes the order, ships the gear, and 30 days later the invoices go out to an email address that no longer exists.
Get Proactive About Educating Personnel
Beyond the infrastructure in place, what about employee education? What is your company doing to educate its team for recognizing and avoiding these sly, malicious tactics?
Maybe it’s that monthly educational email that goes out.
Maybe, your IT director gives a presentation at a company-wide meeting. This, for me, harkens back to the Charlie Brown cartoon. You remember...when he speaks to his teacher, all he hears is “Wah wa wa wah wa wa wah.”
Chances are, 50 percent of those attendees are hearing what Charlie Brown hears. 25 percent are buried in their smartphones. And the other 25 percent retain the information for three hours or so
Again, ditch the PowerPoint slides, and get proactive.
One example would be, through partnering with a reputable business technology partner, setting up a program that provides initial training, and following up with sending out fake phishing emails to employees. If they click on the email “bait,” They’ll get a message that reads “Oops! You just clicked on a Phishing email!”
IT directors or business owners can also receive management reports that detail who the employees are that continue to click on these “malicious” emails over time.
Here's a real-life scenario to draw from: In a recent lawsuit reported in KnowBe4’s Security Awareness Training Blog, a former employee is being sued for sending approximately 250K of her employer’s cash to an online fraudster. The criminal sent her emails pretending to be her boss. Sound familiar?
The firm, which fired this employee, has described her actions as "careless and in breach of the duties - including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer."
The defendant’s claim? She did not receive any training on how to spot online fraud.
Which begs the very simple question to every business owner today: When it comes to online fraud, phishing, and social engineering, how well is your team trained?
Begin shoring up your cybersecurity landscape - from technology to end-user education - with a thorough Network Risk Assessment with Datamax! Interested in learning more? Let's talk!
