How Cyber Savvy Are Your Users?
The purpose of Cyber Security is to mitigate the abuse of, or indeed the destruction of your network, your applications, devices, data, or even physical assets.
Standard practice taken by organisations is to deploy several types of security technologies across their networks including hardware, software and cloud services; with successful strategies needing to continuously evolve to keep ahead of the efforts of the hacker and the latest malicious threats.
Cyber Security threats exist at every layer of the security infrastructure, with bad actors progressively establishing more sophisticated and complex malware as part of their enterprise, but despite this, one of the most common attack vectors is also one of the simplest, targeting what is probably the greatest vulnerability in the network, the human user.
95% of all cyber-attacks are the result of human error e.g. clicking on malicious URLs in e-mails, opening malicious e-mail attachments, disclosure of credentials, etc.
Year on year, investment in cybersecurity technology increases in the fight against cybercrime, but these technologies only mitigate harm to a certain extent, leaving the vulnerable human, often regarded as your weakest security link, being targeted more and more, leaving your network and mission-critical assets at risk.
Around half of cyber attacks in the UK involve phishing. One in every 3700 emails in the UK is a phishing attempt.
A robust cybersecurity awareness training program is essential in the present climate and it’s crucial for organisations to ensure their users develop the appropriate attitudes and behaviours towards cyber risks, cutting out bad habits and helping to reduce the attack surface.
A Hi-Vis vest and a ladder will get you in (almost) anywhere.
Humans are critical in cybersecurity but also have a natural disposition to trust. In psychology, trust is believing that the person who is trusted will do what is expected and being vulnerable to someone or something that appears trustworthy.
Social experiments have shown that by simply donning a Hi-Vis vest and carrying a ladder, you will be granted unchallenged access to almost anywhere you’d usually be stopped and questioned, simply because you look the part; and the same goes for phishing emails, if they look 99% right, the likelihood is they’ll be treated as if they’d originated from a trusted source.
How often do you train your users? Is it often enough?
In order to meet compliance requirements, whether it be ISO27001, PCI-DSS, or Cyber Essentials etc. many organisations still opt for the box-ticking exercise of annual cybersecurity awareness training sessions, unfortunately, these all to often prove to be insufficient, arguably increasing risk and it goes without saying, ticked boxes don’t replace stolen data or pay ransoms and ICO fines.
What do you do to address this?
To fill the gaps in knowledge of cyber risk best practice and to bolster your cybersecurity defences, the safest course of action is to incorporate a Security Awareness Training platform, giving you the ability to train your users, using knowledge assessments, regular short training courses on various security topics across various areas of risk and simulated phishing tests. This will help to raise levels of awareness and promote a fundamental change in your users, changing the way they think about security, which in turn can drastically reduce the likelihood of a successful cyberattack via Phishing.
I will be posting a new article soon around how phishing techniques are evolving and how Phishing-as-a-Service (PaaS) is on the rise, feel free to contact me if you would like to discuss this area in more detail – Stu Imrie, Senior Account Manager (simrie@it-b.co.uk)