Many businesses are worried about how to keep the lights on in the current economic climate and are much too occupied with responding to needs arising from the COVID-19 pandemic. As an IT leader, we know you have your hands full with business continuity and ensuring that your users are able to work from home successfully.
But, did you know that cyber criminals ramped up phishing attacks over 667% in March 2020 alone?
With the bad guys knowing your untrained users are the weakest link, it is more important than ever to add security awareness training and strengthen that people layer. Today’s email filters have an average seven to 10% failure rate; and about 30% of data breaches are caused by repeat offenders from within the organisation. Astonishingly, two-thirds of respondents report they have never been offered the opportunity to attend a security awareness course.
When workplaces start welcoming their employees back, they are inevitably going to be under pressure to catch up with all their correspondence, that pressure has the potential to introduce security liabilities, particularly as workers rush to catch up on several months of unread emails. Workplaces would therefore be wise to implement technologies and training that can mitigate the risk of phishing.
Understanding the threat
According to a recent study by Osterman Research, email is the top attack vector into businesses with malware infections impacting 67%.
The primary email-based attack vectors into organisations are:
- Phishing
- Spear-phishing
- Executive Whaling
- CEO Fraud
Antivirus software, still considered the primary defence, is struggling under the sheer volume of threats. Currently, about two million malicious programmes are detected every week and at the very least, a few percent of attacks will be missed by AV.
This doesn’t mean that traditional defences like AV should be discarded. They all play their part and make it harder for the bad guys to succeed. What it takes is using any and all of the available security technologies and strategies as part of a robust and layered defence. But they must be augmented by what Osterman Research considers the ‘first line of defence in any security infrastructure’ – the users themselves.
The root cause for most incidents is the action of users. Aberdeen Group concluded that investment in effective security awareness training reduces risk from the financial impact of phishing by 60%.
To some, the concept of a human firewall may appear naive. After all, survey after survey reveals just how gullible users can be. To make matters worse, C-level executives have been found to be some of the biggest culprits when it comes to opening suspicious emails. Another survey showed that 96% of executives failed to tell the difference between a real email and a phishing email.
It’s easy to dismiss security awareness training, but the problem is not with the concept of user training itself but rather with the way it is executed.
Here are some of the ways it is traditionally carried out:
- Do nothing and hope for the best
- Break room training
- Monthly security videos
- Phishing tests
People need to be put in a real-life situation where they will have to make a decision that will determine if the organisation gets breached or not. Phishing simulations should prompt users to either click a link, report the phish, or do nothing. If they do fall for the phish, you want the ability to perform training then and there to create a learning moment.
The proven best practices for Security Awareness Training are designed to add a layer on top of existing firewalls. The goal is to establish an effective human firewall of informed, educated and phish-savvy employees.
In conclusion, despite all the funds you may have spent on state-of-the-art security software, the bad guys are just one gullible user click away from staging an all-out invasion. It is obvious that IT security must be significantly improved on all fronts, the returning tide of workers from furlough could be the next big ‘clickers’, allowing this rising tide of phishing attacks access into your business just as the green shoots of recovery show themselves.
If you would like to know more, visit us at www.acs365.co.uk/cyber-security
