If you think the biggest threat to your cybersecurity is targeted at your anti-virus, spam filters, and firewalls, you’re wrong. Your biggest threat is all around you. Down the hall. In the office next door. Even at the water cooler. Your biggest threat is your people.
While hackers do still try to attack businesses by breaking in through security programs, they’ve gotten smarter and have realized the easiest way in is by preying on human error.
What the Data Says:
Proofpoint is an industry cybersecurity leader that implements next-generation protection. They serve top global retailers, banks, pharmaceutical companies, research universities, and many companies listed on the Fortune 100.
In The Human Factor 2018, Proofpoint’s research found a few key things:
- Email is still the #1 target location for an access point into your company
- Hackers are less focused on trying to break in through back door methods and instead focus on your people
- Social engineering is the execution tactic of choice
Human error is the most common (and easiest) way to gain entry into otherwise secure systems.
Phishing: The Entry Points and Repercussions
Phishing is a type of target hacking attack that often comes through email. When combined with social engineering tactics hackers increase the likelihood of success.
According to the Proofpoint Phish report, 83% of surveyed respondents confirmed phishing attacks in 2018. In that research, they found that the most common after effects of phishing included:
- Financial loss
- Compliance issues
- Increased IT burden
- Damaged reputation
- Investments in new technology and higher levels of security
- Customer outrage and loss of business
When you wrap all of these damages up, it’s not hard to see how a small-to-medium-sized business could quickly go belly up. Practice prevention early, train thoroughly and know where potential threats lie.
Phishing Strategies That Work
According to the same phishing report mentioned above, there are a few strategies that tend to work the most:
- Urgent attention headlines or requests
- Updates to plans or documents
- Invoice payment reminders (typically past due)
- Unclaimed earnings (property, checks, etc)
These things prey on instinctive responses by leveraging heightened emotions. “Oh no! I didn’t pay something! I should hurry up and do that!” or “I won something and I should grab it now!” From the outside, these seem like obvious ploys, but hackers are smart. They gather information from online activity and often use plausible reasons so that their deceit is more easily overlooked.
The Best Way to Keep Hackers Out…
…is to train your people. At all levels. From entry-level employee all the way up to C-Suite (higher ups are often more targeted in data attacks because they often have unfettered access to confidential information).
1. Security Awareness Training
It’s important to test all different kinds of phishing tactics, whether they’re with links, login/credential information, or attachments. Often, companies favor link-based tests and spend less time focusing on credential and attachment formats. These are areas not to be overlooked. It’s best to find an IT service provider with the tools and capabilities to do this, or hire a local business with expertise in IT security alone.
Attachments can come with viruses that auto-install on the unsuspecting person’s computer and then implant viruses to steal information or gain control of the device and/or network.
Credential requests are harmful if your company (like most) doesn’t use strong password practices and duplicates passwords across multiple programs. This quickly provides access to highly sensitive personal information.
It’s important to note that while testing employees for phishing competency, you must use different formatting. This means creating the phishing messages to look like they’re corporate-based, customer-generated, cloud-created, or commercially sent. The more varied and recurrent the training (within reason), the greater chance of creating an army of in-the-know employees that will protect your business.
2. Business Risk Assessments
This simple, yet effective, strategy quickly points out areas of weakness that can be rectified with a sound IT team. Unless IT is an area your company specializes in, it’s wise to outsource this to a managed service provider who has the resources and experience to best protect your business.
A good Business Risk Assessment should look for potential threats + current vulnerabilities, predict the severity of each threat, and provide solutions for preventing and combating each.
Arming your entire workforce with knowledge is the best way to prevent costly mistakes that are so easily preventable.
Subscribe to our blog