Cyber security and Employees

Cyber Security Threat #1: Employees

Employees are the weakest link in your cyber defense. Training is key for password management, avoiding viruses, and keeping your corporate secrets safe.

Your company may have invested in hacker-resistant firewalls, two-factor authentication, and strong anti-virus software. But even the most secure computer network in the world, will not protect you from the weakest link: the human employees who sit in front of a PC.

Hackers know that employees can be manipulated to give up company information, login credentials, and even cash. You should know it too!

WHY YOU SHOULD CARE:
According to the 2018 Verizon Data Breach Investigations Report, 58% of cyber attack victims were small businesses (fewer than 250 employees). Worse, about 60% of SMBs forced to suspend operations after a cyber attack never reopen for business.

– Source: Verizon (Verizon Data Breach Investigations Report)

In fact, over 80% of cyber security breaches at SMBs are due to employee negligence, like clicking on links they shouldn’t, using weak passwords or giving their credentials to someone else. So, cyber security education and awareness of the various “social engineering” threats they may face, like phishing and spoofing, goes a long way. This is why companies are now training their IT departments on pre- and post-cyberattack plans to help mitigate losses.

Know the Scams

Phishing attacks are a rampant problem for organizations and the most common way of obtaining restricted data. The problem stems from unsecured business email solutions, where criminals use impersonation and other social engineering tactics to get employees to click on compromising links or unwittingly provide information. Other scams include Business Email Compromise (BEC), which target companies who use wire transfers to send money, particularly to international suppliers.

What is a phishing attack?

Phishing and spoofing attacks are a common way for hackers to obtain access by masquerading as a trusted entity, like a bank or even someone from your company. CSO explains that the purpose of these attacks is to trick users to hand over sensitive information or infect the network with malware. When the email recipient clicks on the compromised link it directs them to a spoofed website that looks almost like the real thing, and then pushes them to enter their credentials. If the scam works, the attacker now has your user credentials to access the real website – which could be a bank, an email account, or even your own business network.

Credentials or financial information should never be given to someone who contacts your employees and asks to update, validate or confirm any information. Goldman Sachs warns that financial information should only be given to another party when you have initiated the contact.

The New Cybersecurity Threat: Business Email Compromise (BEC)

The FBI reports a 60% increase last year in fake email schemes to steal information or money. BEC attacks typically rely on impersonating executives or high-level employees involved with wire transfers. Attackers often pretend to be the CEO or company attorney requesting a money transfer to a bank account they control.

A good attacker can mimic an authorized users email, right down to the signature block.

Employee carelessness and lack of training causes 80% of small business cyber attacks.

Because BEC scams do not have malicious links or websites like traditional phishing attacks, they are more difficult to distinguish from the real thing and can evade both technological and human solutions.

The only way to combat these kinds of attacks is to teach employees how to spot them and how to avoid being fooled. Every company needs a fail-safe mechanism with which employees are able to verify the authenticity of the emails they receive. One easy step is to require employees to confirm all financial transfers by calling or visiting the person who is requesting the change.

How to Spot a Cybersecurity Threat

There are still a few ways to tell, however, if an email is from a malicious source or a website is spoofed. Be on the lookout for these signs:

  1. Spoofed websites are easy to spot when you know how. The domain name in the browser’s address bar is the first thing to look at. Many hackers utilize a very subtle typo in the domain address. So instead of ‘www.microsoft.com’ it may look like ‘www.micr0soft.com’, or something similar.
  2. For email scams, the same is true. The originating email address may look similar to the actual company’s address, but upon inspection, it is not correct. The email header may look like it’s coming from PayPal, for example, but a the email address shows, for example, [email protected] or [email protected].  Tricky, right?  
  3. Bad spelling and grammar.  Not everyone writes perfect emails, but hackers are known for their lack of skills in English.  If there’s even one typo or incorrect verb tense (like, “You should sends this wire”) be extra cautious.  Hacked emails are often made in bulk, so often the content will not match the context perfectly.  Stay sharp!
  4. Check the CC line.  Sloppy hackers will often send their emails to multiple people at once.  If you don’t recognize the people in the CC, drop it like a hot rock.
  5. Hover over links – without clicking!  In both emails and websites, the destination of a link can be seen in the lower left corner of your browser window when you

Cyber Training = Preparation

Of course your network should deploy email authentication over a secure email gateway so that only authorized users can send email messages with your domain.  And a good firewall can also help stop inbound messages with suspicious content. But most importantly, train your employees to be smart about phishing and BEC messages that may make it through your digital security layers and refresh that training every few months.

Unless they are specifically trained, most employees will be unaware of the various cyber threats out there. Security Magazine describes how 75% of employees leave their systems unsecure, by not locking them when they leave their desk or not using strong enough passwords. At the same time, only 15% of employees say that they are knowledgeable about persistent threats and how to mitigate them.

A good cyber threat policy starts during the on-boarding process where you indoctrinate your employees to be security-savvy when it comes to company information, digital technologies, passwords and so on.

When it comes to employee negligence, weak passwords are a major problem in high-profile cyber incidents and many data breaches are due to poor passwords. While no password is 100% secure, the longer and more varied the characters in a password, the harder it is for someone to crack it. Advise your employees to create abstract passwords, which use a minimum of 8 to 12 characters, including numbers and symbols, and to change them every 3 months.

Think that sounds too arduous? Use a password management software like LastPass to automatically create and remember stronger passwords.  Or a more complete “Secrets Management” platform like Akeyless. Password software adds an extra layer of security and convenience.

Restricting employees from using their personal devices for work is another step to mitigate cyber security risks. It only works, though, if you provide the education that explains the security implications of accessing work on unsecured devices. This should include clear definitions of what unsecured networks are, and where they are commonly found (coffee shops, hotels or any public Wi-Fi). Even with secure email servers, if a hacker gains access to an employee’s personal device, over an unsecured Wi-Fi network, they could, in turn, use that device as a gateway to your company network when the employee returns to work.

Create a Cyber Security Team…and a Plan

To mitigate many of these threats every business needs a dedicated cyber security team and an advance plan for the company’s response if an attack occurs.  This team – it might be just 2 or 3 people – should be knowledgeable in social engineering tactics and should conduct training to make employees aware of scams and phishing methodologies, as well as teach basic cyber hygiene.

It will also be best to restrict IT admin and access rights to this team of people you trust within your organization. Entrepreneur explains that entrusting this info to a handful of key figures in your IT department, who are properly trained, will help mitigate the risk of data breaches as employees won’t have access to this information and won’t be able to give it away.

There’s a lot to do to stay safe online these days.  But there is also a lot at stake. Most small companies that suffer a major cyber attack never recover. The loss of business data, customer data, or cash (like a wire from the bank), can be an overwhelming blow to your operations.

If you can’t imagine how you would survive after losing everything on your company computers… now is the time to start preparing.

Guest Blogger Lily Jackson is a freelance writer who specializes in corporate cyber security. She hopes her articles help businesses of all sizes better protect themselves. And Lily reminds you that October is National Cybersecurity Month!

Photos by David Worrell and rawpixel via Pixabay