If an Employee has network access, they should be aware of threats

Cyber attacks can happen at any time on any scale through any device connected to the network. The longer a cyber breach goes on for, and the amount of time it takes to contain, directly correlates with the amount of data lost and in turn the amount of money lost.

An effective cyber attack is enough to devastate a business. Educating a workforce on the ins and outs of cyber security and the simple steps all of them can take to spot something suspicious could be the difference in a business surviving.

The scale of cyber attacks

Forty-six per cent of businesses overall in 2019 noted having had breaches or cyber attacks in the last year, according to the Cyber Security Breaches Survey: 2020. The most common attacks reported were phishing attacks, explained in more detail below by the survey:

“Staff receiving fraudulent emails or being directed to fraudulent websites. This is followed, to a much lesser extent, by impersonation and then viruses or other malware. One of the consistent lessons across this series of surveys has been the importance of staff vigilance, given that the vast majority of breaches and attacks being identified are ones that will come via them.”

The report emphasises the need and importance for knowledge of cyber security across a business, not just for the IT or security teams, but for everyone with access to the network, as each person can be considered a viable target for attackers. The impact of these attacks can be seen in the image below, taken from the report.

Phishing attacks explained, why we’re all targets 

A phishing attack is a sophisticated attack constructed specifically to manipulate the recipient. The attack poses as a trusted source and encourages the ‘target’ to do something to grant access. Ordinarily, the attack usually lures the victim into clicking a malicious link, which consequently can trigger the installation of malware, a ransomware attack or the revealing of sensitive data such as sensitive personal information.

Some of the most recent and sophisticated phishing campaigns have come from those acting as the US Centres for Disease Control and the World Health Organization (WHO) targeting victims with malicious links.

Technology isn’t 100%, we still need to act

The Cyber Security Breaches Survey: 2020 shows a 70 per cent increase in attacks detected by people and not technology.

Technology has the ability to detect when something is explicitly wrong. Tech focuses solely on facts, not intent and sentiment. Studies have shown that technology can prevent 999/1000 phishing based virus emails. But, that number leaves room for some to get through the security controls in place and from the tech’s point of view, these emails look completely legitimate, they tick all the boxes of an honest, normal email.

When we read it, it’s only then can we identify it as a serious threat. Technology is adapting and soon will be able to think like us, but right now it still falls to every person in a company to protect the business. This is why education for all staff is essential because this is where technology cannot protect your business, only the people can.

So, what all your employees should be aware of

1. They should know and be fully aware of the telltale signs of phishing.

2. Who to report a potential security issue to. Without any delay, looking to seek help straight away.

3. Any contact or request that seems unusual or out of the ordinary – especially if there is a perceived urgency with the request.

What each employee should avoid and the FIVE steps they can take 

  1. Good passwords. Unique and long (More than 12 characters).
  2. Use two-factor authentication wherever possible.
  3. Educate themselves on the telltale signs of phishing.
  4. Never share sensitive information with someone that rings you unexpectedly. Check who they are, find a contact number from some other source (e.g., invoice, web site) and ring them back. Legitimate businesses will be perfectly happy with this and grateful for taking precautions.
  5. Double-check anything that seems unusual, especially when being asked to do something outside of the normal process.

The impact and benefits of teaching all staff good cyber security knowledge

If every employee in the business strives to do the right thing when it comes to cyber security, adhering to all of the processes that should be in place and remaining vigilant at all times, first and foremost over their own personal equipment that is connected to the network, then there is a 70% less chance of getting attacked. 

Education is key to keeping your business safe. Technology can only do so much to help, ultimately it will always come down to the staff to take ownership of security and any potential threats and know how to combat these in the right way. That only comes from education and investment in coordinated, strategic processes like adopting and installing the Cyber Essentials scheme into the business.

 

By Colin Robbins, managing security consultant at Nexor


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/