Turning your Biggest Weakness into your Biggest Cyber Asset
One of the most important considerations in Information Security is ensuring your people are cyber aware. Do they know how to spot a potential threat? Do they have the confidence to report anything they think is suspicious? Is their password management considered safe? Are they using their work email for personal things?
Cyber-crime is big business and data is big money. Cyber criminals are sophisticated, organised and have little fear of being caught, and with a reported 90% of breaches involving some degree of human error, the cyber criminals job is made easier.
Phishing is one of the cyber criminals preferred methods of attack, with 83% of organisations reporting a successful phishing attack during 2021, with a whopping 53% saying it resulted in a data breach.
The term phishing generally means an attack via email, but other mediums are covered such as text or social media. How many of us have received a phishing text such as, ‘We tried to deliver your parcel today, click this link…’?
A phishing attack is basically a cyber-attack masked as a legitimate entity, which is intended to trick the recipient into doing the wrong thing, such as clicking on a link or entering personal details. The intent may be to get the user to download malware (such as ransomware), steal data/money or disrupt systems/services.
While firewalls and other technologies can be the underpinning foundation of an organisations security strategy, they cannot protect against everything, and phishing emails can still get through. These emails can reach many users and are designed to hide among the many emails a user may receive daily. Organisations of all sizes are targeted; it could be a targeted attack on your business, or you are caught up in a wider campaign.
Attackers may use logos, employee details or an email address that makes the email appear like it is from someone in your organisation; they will often include some urgency for a response, putting users under pressure. This is referred to as spear phishing, these attacks are harder to defend against, because they can appear legitimate.
Poor password management is also a contributor i.e., lack of password policy within the organisation, users writing their passwords on post it notes, storing passwords in text files on their desktop, sharing passwords with other users and using simple passwords such as Password1.
Password mismanagement happens at all levels in an organisation, even in the IT Department, for example a business-critical system has an administrator username and password of system/password1. This is more common than people would like to think.
The Human Firewall
If the human factor is responsible for 90% of breaches, then 90% of breaches could be prevented by creating a human firewall through continual cyber training and simulation. This will increase your organisations cyber-resilience and turn your biggest weakness into your biggest cyber asset.
Cyber awareness training should provide your employees with education and training that will:
- provide an underlying knowledge of cyber threats
- give them the ability to identify potential threats
- construct a ‘Think before you Click’ attitude
- know how to react too & report something suspicious or an incident
- empower them to change their behaviours
For awareness training to be effective it needs to be ongoing and adapted to keep pace with the ever changing and evolving threat landscape.