Employees are the fuel that drives organizations, but their actions can also put the brakes on success. Why? Because not surprisingly, every employee presents a potential security threat to intellectual property, trade secrets, and other protected information. Most employees are not malicious data thieves, but their actions could inadvertently open the door to cyber attackers scanning for the weakest link.
National Cybersecurity Awareness Month highlights the need to create a culture of cybersecurity at work. In our last blog “Who Owns Cybersecurity?” we said it’s a shared responsibility, and that each person in an organization should be accountable. Proactive awareness of potential threats is a step that individuals can take to protect their organizations. Here are three threat trends every employee should know about:
PHISHING ATTACKS can cost an organization up to $3.7 million per year, and waste more than 4 hours annually per employee, according to a 2015 report by the Ponemon Institute. While many individuals know about phishing emails, they still fall for the messages which can trick the recipient into giving out personal or financial information, or provide access to networks which is then used to exfiltrate information. It is difficult to change employee habits. Months after an attack that revealed the personal details of more than 800,000 workers, the US Postal Service tested its employees and found that a quarter of recipients clicked on a phony link in its simulated attack. On the private sector side, a CBS News/Intel Security test of 19,000 people revealed in early 2015 that 80% clicked on at least one of the phishing emails they received. As we can see, the growing sophistication of these types of attacks are causing havoc across both the public and private sector – and even those employees who might fancy themselves as being relatively cyber savvy are being duped.
What should employees do to avoid this type of threat? Take part in proactive training and awareness campaigns that corporate risk managers should be rolling out. If they’re not, push for such training. In addition, the federal government does have numerous websites that may be helpful. Like Secure Halo and others in the industry, the Federal Trade Commission has been evangelizing what it takes to be safe in this new threat environment. This includes warning about the rise in application-targeted attacks (such as Google Docs, Adobe, or file sharing sites); how the commercial availability of malware has essentially industrialized and propagated these malicious acts; and the under-reported reality that an increasing amount of sophisticated phishing attempts are becoming heavily personalized and tailored to the target and therefore are more believable than ever. Remember, phishing is no longer the Nigerian 419 scam promising you great wealth. It’s a good practice to report such emails to reportphishing@antiphishing.org, a working group of security vendors, financial institutions and law enforcement agencies.
BUSINESS EMAIL COMPROMISE (BEC) is a rapidly growing and increasingly sophisticated form of cyber fraud. According to the FBI’s Internet Crime Complaint Center (IC3), more than 7,000 US companies have been victimized since late 2013 at a loss of over $740 million, and the number has spiked in 2015 alone. Often, criminals establish a foothold onto a company’s network through targeted malware such as phishing, then gather information from email threads about billing and invoices to create legitimate-looking requests from CEO’s and CFO’s for wire transfers. The money is directed to fraudulent accounts.
The IC3 offers numerous tips to avoid being victimized, including: verify changes in vendor payment location and confirm requests for transfer of funds; be suspicious of requests for secrecy or pressure to take action quickly; use intrusion detection system rules that flag emails with suspicious addresses.
THIRD PARTY RISK is an area Secure Halo spends a lot of time with via our External Business Operations domain and is a threat that all organizations and employees must understand since partnering is part of doing business. The recent T-Mobile breach affecting 15 million customers began with a data breach at Experian, which T-Mobile used to run credit checks on customers. Whether they’re unsuspecting portals for cyber attackers or the originators of such assaults, vendors and subcontractors now represent a growing, frequent and serious risk to organizations. Security professionals continue to overlook that risk, however, even as high-profile cases crop up in the U.S., the Middle East, Europe and the Asia Pacific region.
As the customer, a company has the ability to choose which vendors it wants to hire. A significant part of that decision should hinge on the vendor’s answers to questions about its security policies and controls. Further, if a vendor will need access to the company network, preventative measures such as segmentation should be discussed, as would be the importance of understanding other defense-in-depth areas, such as access controls, data layer controls, and a serious look at language contained in service level agreements.
The one constant in the world of cyber is that threat is continually evolving. While it’s impossible for every individual to stay on top of every threat, making cybersecurity awareness part of organizational culture can go a long way in reducing susceptibility to victimhood in the first place.
