By Vinaya Sheshadri, Principal Security Consultant for RiverSafe
For businesses, a cyber-attack is not a matter of “if” but “when”. Every business is at risk of a cyber-attack. In 2018 alone, cyber-attacks on organisations cost the UK economy 10’s of billions of pounds, with 7 out of 10 companies falling victim to a cyber-attack or breach. According to the 2017 Data Breach Investigations Report, more than 90% of cyber-attacks were traced back to human error. On top of that, only 38% of global organisations state that they’re prepared to handle a sophisticated cyber-attack and worse, as much as 54% of companies say they have experienced one or more attacks in the last 12 months —this number rises every month and the results are alarming. The best way for a business to counter this is to create a risk-aware workplace, and that starts with cyber security awareness.
What is cyber security awareness?
Cyber security awareness is the amalgamation of knowing what to protect and doing something to protect the information assets. When the employees are self-aware of these threats you greatly reduce the number of incidents that occur because of human error. That means they understand the potential impact a cyber-attack will have on the business and they will stay vigilant, taking the necessary steps to reduce risk. This will also pave the way to a more GDPR compliant future. One thing we need to get our head around is the fact that making employees cyber security aware doesn’t completely eradicate the threats but at least it gives the Information security professionals a fighting chance to counter the threats.
In the recent year’s malware has flourished, becoming more and more sophisticated with every new strand that is developed, and rest assured this will keep on accelerating. As new strains of malware grow, businesses and enterprises need to make sure that they’re employing the correct security measures, making sure their employees are aware of the risks and pitfalls, and eliminating any weaknesses that make them vulnerable to an attack.
Security awareness consists of continuous training and constant testing in the following areas of exploitation. The most dominant security threats include:
- Phishing: – Phishing is similar to tossing out a wide net full of bait and heaving in whatever you catch. It is one of the main methods of attack that can be observed, where by hackers use emails that look genuine, but actually intended to request confidential information over the Internet under false pretences in order to fraudulently obtain sensitive information. According to the 2018 (DSIRR) Data Security Incident Response Report, phishing attacks accounted for nearly 34% of data breaches in 2017, making it the number one type of cyber-crime.
- Spear phishing: – Spear phishing attacks usually target high-profile individuals or people with access to valuable assets or sensitive information. As these emails usually target one high profile individual at any given time, they are extremely hand crafted, and use all available information to make the email as genuine as possible. While phishing schemes cast a wide net, spear phishing takes a highly targeted approach to attacking specific individuals.
- Malware: – Malware often refers to any kind of software intended to inflict harm to any device it can be in the form of a virus, worm, spyware, rootkit, ransomware or trojan horse. In 2017, the malware program known as WannaCry, a form of ransomware, spread throughout the world, crippling thousands of organisations and billions of dollars. Ransomware is bit different compared to rest of the malware as it encrypts the files on the drive (local or network) and request payments in form of bitcoins to decrypt the files.
- Social engineering: – Social engineering happens when one-person fools another into giving up access to a resource. Hackers use a variety of resources and tools to gain access to targets. For example, instead of trying to find a way to exploit the vulnerability and gain unauthorised access, a social engineer may call an employee pretending to be the ‘IT support’ for the organisation and try to trick the employee into revealing his/her password.
With all the possible threats to understand, cyber security awareness campaigns and trainings should become mandatory for organisations. Cyber security awareness needs to come from the top and if CEOs, CFO’s and managers want to secure their data, they have to educate their employees and colleagues, and form a culture that surrounds cyber security awareness. Below are some of the best cyber security practices every organisation should be following:
- Basic cyber security training
This is the essential practice that every organisation needs to focus on., These training sessions (online, in person, hands-on or video) will guarantee that employees are aware of what to do and what not to. For example, only using pre-approved software and always having a strong password that is not repeated everywhere. It’s clear that the weakest link in cyber security is the human factor, and as long as your employees can’t make an educated and informed decision about which email attachments to open or where and whom they can send sensitive information to, then you’re at a risk of an attack. Your business’s cyber security is only as strong as your weakest employee – it is your responsibility to create a risk aware workplace culture surrounding cyber security awareness. Conduct periodic internal phishing attacks and set the baseline for assessing the risk of an external threat, as this will also help organisations to focus on those set of employees who may need a little extra help.
- Implement security standards
Organisations need to implement basic security practices surrounding user access, authentication methods (like multi-factor authentication for your employee logins to add an extra layer of security), increasing password complexity, implementing critical security solutions (EDR, SIEM, IPS, next generation firewalls), identifying critical vulnerabilities and patching them before they can be exploited and conducting internal penetration testing – not only to identify the weakness but also to test your employee vigilance levels.
- Employee awareness
Employees have to be aware of their surroundings and need to make sure that no one is looking over their shoulder as they type in passwords. Connecting to unfamiliar networks with either their personal or company provided devices, especially the latter, and especially not their company provided devices as they can contain sensitive information, not to click or download anything unless they’re 100% confident of the source, not to divulge any personal or sensitive information over an email or any other form (for example: Replying all with sensitive information on a email chain , believe me I have done it and it’s not an ideal situation to be in), anytime they want to type your credit card information for a payment check the address bar and the prefix ‘https’ rather than just ‘http’ to indicate that the site is a secure one.