Employees Are the Weakest Link in Computer Security – How to Help Them Stay Safe
Fast, cunning and ever adaptable, cybercriminals consistently find ways to infiltrate your security systems and get at your data.
Their best bet? Your employees.
How great is the threat? The APWG (Anti Phishing Working Group) reported that the number of phishing websites it detected jumped a startling 250 percent between October 2015 and March 2016. Twenty million new malware samples were detected.[i]
Phishing attacks loaded with malware will come across the desktop of someone you know. Guaranteed.
The last thing your employee wants is to let the cybercriminals in but the use of sophisticated social engineering tactics makes it a challenge to identify what’s legit from a scam.
Social engineering is the act of manipulating people into taking a specific action for an attacker’s benefit and is a key part of criminal activities and an important step in phishing campaigns.
So what should you, as a business owner do, to protect that employee entry point?
Here are some recommendations:
- Identify the enemy: Netcetera published an excellent document Tips on How to Detect Phishing Scams identifying red flags everyone should be aware of. Reviewing these with your employees should be at the top of your priority list.
- Sophos, an industry leader in security products, strongly recommends routine security training and awareness. The Sophos team has a multipronged approach for their own employees including:
- Phishing testing once a month
- Password audits to ensure passwords are complex enough to withstand cracking
- Circulating information about the latest risks and scams as they surface
- Publishing blog posts and banners and putting up office wall posters with reminders, solutions and examples of scams
- Datto, a provider of backup, recovery and business continuity solutions identifies 5 types of social engineering attacks, all of which your team should be aware of and watch out for:
- Phishing: Most phishing scams demonstrate the following characteristics:
- Seek to obtain personal information, such as names, addresses and social security numbers.
- Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.
- Incorporate threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.
- Baiting: Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.
- Pretexting: A form of social engineering in which an individual lies to obtain privileged data. A pretext is a false motive.
- Piggybacking or tailgating: These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.
Datto recommends that a solid back up and recovery solution be in place in the event of a successful attack and offers a free Cybersecurity Toolkit for SMBs that includes tips for setting up a cybersecurity training program.
Social engineering is effective because it preys on our inherent weaknesses. Without proper training, it is tricky to prevent.
If you have any questions, please contact us at 604-980-2700 X 300 or by e-mail at smula@netcetera.ca. We will get back to you as soon as possible.
[i] http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf