Keep your employees off the hook

Following on in our series for European Cybersecurity Month (ECSM) and National Cyber Security Awareness Month (NCSAM) this blog will explore the topic of how to prevent phishing and the impact individuals working in our organisations could have in facilitating or preventing a cyber-attack. The shift in our working environments has highlighted that individuals are becoming increasingly vulnerable to exploitation and cyber criminals are finding more convincing ways to leverage those vulnerabilities.

 Insider threats to business

We focus so much on outsider threats to the business but how much have we really assessed our insider threats? Insider threats do not have to be malicious; human error is often labelled as a main reason for a breach, when on reflection it is generally inadequate security cultures, poor processes and lack of training that facilitate attacks exposing organisations to breaches and letting employees down.

The Cyber Security Breaches Survey 2020 reports that 86% of attacks on businesses start with a phishing attempt. There are many factors that could contribute to an individual clicking on a phishing email. With many organisations now working remotely, email has become a main source of communication. Users can become overwhelmed with the amount of email coming in thus resulting in complacency, over reliance on technology capturing phishing attempts or even distractions from working in a different environment.

Human factor vulnerabilities

Another consideration is that cyber criminals are exploiting human factor vulnerabilities using techniques that draw on instinctive behaviour such as natural curiosity or a basic human desire to help others. Cyber criminals will use techniques such as sending role-specific phishing attacks to individuals that induce fear through consequences of non-action, or using words that create a sense of urgency in the document such as urgent or legal.

When working in an office environment if an individual receives a suspicious email they immediately seek reassurance from colleagues if unsure of how to take appropriate action. With remote working this immediate collaboration element is not as readily available. The following questions should be asked: Are your staff equipped and empowered to make a decision? Do you have security champions in place for queries? Do you have policies and a clear process in place and are all staff educated where to find the next steps after receiving a suspicious email?

Recent examples of phishing attacks

Two examples that demonstrate how attackers will manipulate trust in order to access data or extract money from organisations are given below:

NCSC weekly threat report from 5th June 2020 highlighted that remote workers had been subject to a phishing attack that stole a user’s Office 365 credentials. The scam saw users receive an email supposedly from their IT department asking to update the VPN configuration. Users who clicked on the link were taken to a fraudulent Office 365 login that looked identical to the legitimate one.

Another NCSC weekly threat report from 4th September 2020, shows criminals attempting to trick employees into paying a fake invoice or transfer money to the attacker’s account. These requests often look plausible and demand an urgent resolution.

Building cultures of transparency to prevent phishing success

We must build a culture of transparency and lessons learnt rather than blame so that when individuals spot suspicious activity, they are empowered to have the autonomy to follow the process and to raise it as a problem. Otherwise the alternative is they may ignore it, hoping it will go away or worse still, perceive it as “not their problem.”

If individuals are more involved from the outset and are encouraged to contribute to the company security strategy as well as actively participating in awareness briefings, this will bring the learning to life. For example - simulated phishing attacks; if the session is interactive, there will be a greater level of engagement and knowledge shared from the user’s perspective. These tests can show that by acting quickly they will help prevent a cyber-attack and more significantly how their actions and contributions add value to protecting the whole organisation.

We need to put our end users at the heart of the cyber security strategy so that everyone in the business from board level down knows that Cyber Security is everybody’s concern and responsibility. There must be an ongoing lifecycle of cyber awareness training tied into the business objectives so that organisations are proactively educating and refreshing individuals’ knowledge and awareness consistently.

Phishing attacks will continue to rise if organisations do not take a step back and refresh their approach to cyber security awareness. The approach to the human factor of cyber security needs to be addressed with as much emphasis as the technological.

Be sure to read our next blog on Malware, Ransomware and Incident Management.