Even companies that do everything right when they built their security infrastructure can still be hacked.
The sad fact is, the weak point in every cybersecurity system is you and the people you work with.
Hacks and data breaches do occur because of disgruntled employees. The majority of employee-caused data breaches result from negligence or ignorance. Even if the following data breach is unintentional, the potential costs are real.
How can you further protect your office?
Organizations are beginning to invest in training their users in security best practices. Recent research from Aberdeen Group shows that 91% of companies performing security awareness and training were trying to reduce cybersecurity-related risk from user behaviors.
76% of organizations said they experienced phishing attacks in 2017
Nearly half of information security professionals said the rate of attacks increased from 2016 to 2017
In 2017, there was an 80% increase in reports of malware infections, account compromise, and data loss related to phishing attacks
The research also reveals that regular, interactive training (monthly or quarterly) is twice as effective at achieving quantifiable benefits than yearly or passive training tools (email alerts, company newsletters, or videos).
What's Phishing Again?
Those of you reading this who began using email in the early 1990s remember the Nigerian prince. All he needed was you to open a bank account (with at least $10,000 in it) and you would then receive a percentage of the windfall from the Nigerian prince's new oil money! Or you need to some some personal information and documents to get your lottery winnings (from a foreign country and a lottery you had never entered). The scam varies slightly.
The most disturbing part of that phishing attack is that it must work because it's still going on!
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. According to the 2013 Microsoft Computing Safety Index, released in February 2014, the annual worldwide impact of phishing could be as high as US$5 billion.
Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate one and the only difference is the URL of the website in concern. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that distribute malware.
Protect Yourself and Your Office
Creating an ongoing training plan will continually reinforce the importance of security, but what can you do today?
The best tip is an obvious one – if an email/offer in an email sounds too good to be true it almost certainly is! Never share personal details based on an email received out of the blue.
Here are 9 basic tips to get you started:
We are all overloaded with emails today. Be skeptical about out-of-the-blue offers. As we all share more information on social channels, cybercriminals use that information to craft more sophisticated phishing messages. The first line of defense is to not be gullible.
When you receive a request to transfer funds, open an attachment (especially from an unexpected email address), or provide sensitive information; don't do it immediately. When providing sensitive information, it's best to go directly to the site yourself rather than click on a link. Many links will look nearly identical to a legitimate URL – nextflix.com for example, being off by one or two letters. If unsure, hover over the URL with your mouse and check it out before clicking. Pay attention to sites as you're browsing as well. If there's anything before the common endings – .com, .edu, .net, etc. – you're cache may be compromised. If you see anything like www.netflix.ad.com, contact your IT staff ASAP.