81% of the respondents reported that negligent employees or other insiders have been responsible for at least one unintentional data breach within their organizations over the past two years. - The Human Factor in Data Protection Study¹
While companies will always be fearful of the malicious ‘bad apple’ employee, numerous studies have shown that most internal security breaches are accidental or unintentional; mostly a result of clever phishing tactics. Phishing is a scam featuring a malicious program posing as legitimate – an email seemingly sent by someone in your contacts, but the actual address is unfamiliar. Inadvertently, a well-meaning employee could succumb to such a scam by not realizing that something isn’t right. By properly identifying these causes, companies can not only inform employees of the risks, but can also reduce their exposure to these cyber-attacks. If employers take the time to educate employees on how to identify these threats, small business with limited resources can drastically reduce their own exposure at little to no additional cost.
“We have met the enemy and he is us.” – Walt Kelly
First, an understanding of the problem. According to over 700 IT security practitioners surveyed in a 2012 independent study done by the Ponemon Institute and sponsored by Trend Micro titled The Human Factor in Data Protection, 81% of the respondents reported that negligent employees or other insiders have been responsible for at least one unintentional data breach within their organizations over the past two years... thus the enemy is us. One notable case happened back in 2013, when hackers sent a malware-laced email phishing attack to employees from Fazio Mechanical Services, Inc., a HVAC subcontractor working at a number of Target stores. Using the stolen credentials, the hackers were then able to install malware in Target’s security and payments system designed to steal every credit card used by customers resulting in over 70,000,000 compromised credit cards. While major breaches at Fortune 500 companies can hog the limelight, small businesses are just as susceptible to cyber-attacks as the big companies, as any one person can fall victim to phishing scams or other social engineering methods.
Types of phishing techniques
There are many different types of phishing techniques. Some of the more prominent ones are:
- Email / Spam – Phishers send the same seemingly legitimate email to millions of users, asking them to click on a link, open an attachment, fill in personal details, verify an account, etc.
- Web-based Delivery – Also known as the “man-in-the-middle” attack, the hacker is located somewhere in between the user and the website. An example of this would be website forgery or a covert redirect: A hacker poses as your bank in an email and states that your bank account has been compromised. The hacker either sends you a link to an identical-looking website or sends you a link which appears to be the legitimate website, but actually redirects the victim to an attacker’s website, whereby the victim unwittingly types in credentials thinking it’s their bank.
- Phone Phishing – Recently, a company contacted us about suspicious activity that is an example of this phishing technique. In this case, the user was responding to a pop-up message which stated that there were important Microsoft security updates that his computer needed, and that in order to get them installed the user needed to pick up the phone to call “Microsoft” whereby the phisher verbally convinced the user into giving them remote access, thus compromising that workstation.
Are there any low-cost safeguards?
Are your employees familiar with scams and how to avoid them? Social engineering is one of the easiest ways for an intruder to gain access to your information. For this reason, training employees on how to identify and avoid phishing attempts is arguably the cheapest, most effective approach at curbing this threat. Here are some useful tips that an organization can provide their employees to make them more aware of phishing and other hacking techniques:
- Do not open attachments or click links from unknown sources.
- Before clicking on known sources, hover your mouse over the link to verify the site that it’s leading to.
- Look closely at the email address when a familiar person is requesting personal or security information. Better yet, pick up the phone and call the person to verify the request.
- Never provide security or account credentials to anyone. A general rule of thumb is if an Administrator has to ask you for your password, then they are not your Administrator.
- Lastly, if you think something is suspicious, then it probably is. Report it.
Higher level measures to consider
While educating end-users is effective, there are still measures that organizations can do themselves to help protect their information:
- Establish procedures for reporting potential phishing attempts, such as creating an email address for employees to forward suspicious emails to. Follow up on such reports by alerting the workforce.
- Implement anti-spam software to stop suspicious emails from reaching employees. Install anti-virus software and keep the definitions current. Install firewalls and maintain them with the latest security patches.
- Monitor activity, including unusual volume or access.
- Implement social engineering tests to identify untrained or susceptible employees, senior management. Go ahead, test the susceptibility of your company to phishing attempts by [safely] trying to phish them yourself!
Businesses looking for assurance that their organization is not vulnerable to phishing, malware, or other cyber threats may find only consternation, which is why Datamax offers a no strings attached network risk assessment which will provide interested parties actionable insight for developing a well-managed network.
¹ Various content based on the 2012 independent study by the Ponemon Institute, sponsored by Trend Micro, and titled The Human Factor in Data Protection.