A decade ago, an anti-virus solution, firewall and some DLP were thought to be more than enough to prevent threats from damaging your organisation. However, today’s threats are far more sophisticated, and rely on your company’s most valuable assets to succeed – your employees.
Without intending to do harm, an employee can unintentionally cause major harm to your organisation by falling victim to phishing and social engineering, says Robert Brown, MD of DRS.
“How many of your staff would recognise a phishing email if they saw one? Social engineering, which attacks the human factor, is posing a serious risk to businesses. Clever cyber crooks use these methods to trick their targets into giving them access to confidential information such as login credentials, credit card numbers, or account details.”
He says over and above the legitimate-seeming phishing emails that we have all been sent multiple times, threat actors are now using social media and other popular platforms to launch their attacks.
“These schemes are targeting employees within the organisations in the cyber criminal’s cross hairs, and businesses need to be aware of the risks, and take steps to avoid this scourge. Although most companies have spent a fortune on security tools and measures such as IPS and AV, these tools are not enough to mitigate the risk of social engineering attacks. In fact, they do little to address the human factor at all.”
There are several ways to raise awareness of the human element and make your employees more ‘security savvy’ he says.
“Start by establishing an information security programme, and there are several aspects to consider when developing it. For businesses without a programme in place, or as a minimum benchmark for those with existing programmes, it must contain certain elements, such as meeting compliance requirements, addressing the fast-changing information security threat landscape, and it must reinforce a company’s business culture.”
Establishing and maintaining information-security awareness through a security awareness program is crucial to any company’s progress and success, he adds. “A robust and properly implemented security awareness programme will help the business with the education, monitoring, and ongoing maintenance of security awareness within the company.”
A successful security awareness programme should also include getting a security awareness team together, as well as security training, role-based security awareness, and the communication of security awareness to and within the business. “It helps here to get a checklist together, to help the company when developing, monitoring, and maintaining a security awareness training programme for employees.”
Another helpful tool, says Brown, is social engineering phishing testing, which can help an organisation pinpoint any vulnerabilities and monitor the effectiveness of its information security training, procedures and policies. These tests would see fake links sent to various employees. Those who click on the link could be redirected to a Web site with information and training resources about phishing. Results would be collated and reported to the security training team.
“At the end of the day, the more aware your employees are, the less likely they are to fall foul of social engineering techniques. Over and above testing, there are several tips you should offer your staff to help them be more conscious of information security.
“Firstly, don’t open any suspect links or emails. Check any links by hovering your mouse pointer over the link as this will reveal the true link. Scrutinise any company names for small errors like transversed digits or misspellings, as these are designed to work as they are not usually inspected too closely. Also, be leery of email attachments, even if they appear to be from a trusted source.”
Finally, he says, realise that your staff are your organisation’s greatest vulnerabilities in the face of growing and changing cyber threat landscape. “However, with thorough security training, they could become your company’s best defence too.”