I can answer the question in the title in one word: Very.

But of course, anyone with any sense should ask – OK, go on prove it then. So, I will try to too.

Let me leave this here before I go on to give some evidence about the importance of security awareness training.

In the first half of 2019, there were 4.1 billion data records breached. In the same period in 2018, there were around 3.5 billion exposed records. By anyone’s standards, that’s a lot. Not all were cybercriminals hacking into databases. Many were accidental exposures, lost laptops, inadvertent emails sent out, and so on.

The state of cybersecurity today is a mess. What is often true in life is that the simplest of ideas can be the most effective, enter stage left, security awareness training.

Where security touches employees, deeply

Security, back in the olden days, say in 1995, was something that was pushed over to a geek in the server room. The geek (I say that as a fellow geek) would sit, warming hands over a hot server while contemplating when to do an update that would cause most annoyance to the employees.

When the network reached out into the wider internet, things changed. Cybercriminals upped the ante and cyber-attacks for the masses began. Employees became a target. By then, we were all connected up via email and websites. This was when we all became security woke; this was when the awareness penny dropped into place.

In a recent report by Proofpoint, they point out that 99% of cyber-attacks need human intervention. What does this mean?

  • Phishing: A human has to click a malicious link or download a malwar-infected attachment for the attack to begin. This then leads to the loss of personal data or even the loss of login credentials that expose a whole database of data.
  • Accidental exposure: A human has to accidentally leave a laptop on a train or send an email with personal details to the wrong person.
  • Security negligence: Sharing passwords is more common than you might think. Around 19% of company passwords are easily compromised because they are either shared or weak. Reuse of passwords is another area of concern. A study showed that 52% of people reuse their passwords for multiple services.
  • Misconfiguration: In 2018, 70 million of the exposed records were due to system admins not setting up cloud databases and servers correctly. Often, this is down to just not thinking with a security hat on.

Putting the security hat on with security awareness training

To counterbalance all of the human touchpoints of the cybersecurity horror show, we have to turn to education. When I was a kid, I was taught how to cross the road without being killed. There were some excellent adverts on the telly at the time with a cute little fella called “Tufty”. Those short little TV videos worked wonders. My 7-year old self remembered the words of Tufty when I went to cross the road and I’m here to tell the tale.

Security awareness training is similar to the training we got as kids to stay secure when crossing the road or talking to strangers and so on. It is an adult version of the security training we got as kids.

Security awareness training works by addressing a number of areas that cause security vulnerabilities. This includes phishing, security hygiene, etc. The training teaches everyone across the organization about the danger zones and gives them a security hat they can wear in everything they do.

Effective security awareness training works with your employees to engage them in interactive sessions. It makes security awareness fun and in doing so makes it memorable.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

A recent report into security awareness amongst employees found that 75% of the organisations had a serious problem in understanding what was the best practice when it came to correct behaviours in cybersecurity and data privacy.

We said earlier that 99% of cyber-attacks require a human being to start the process that will result in a data breach. Compound this number with 75% of organisations not knowing how to prevent this, and you have yourself the perfect environment for cybercriminals to operate in.

This, in a nutshell, is why education in the form of security awareness training is vital. Your people are your best chance to protect your company. Make the most of our natural instinct to stop being made a fool of. No one wants to be the person who pressed the big red button and let the cybercriminal in. Using an effective security awareness training package empowers employees to make the right security decisions. The old adage “knowledge is power” is never truer in the current security climate we find ourselves in.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Share this:

Before I begin, I apologise in advance for using the B word. Even Sky News has shied away somewhat from mentioning Brexit, creating a special Brexit-free News Program. But it would be remiss of The Defence Works not to address the ol’ Brexit and data conundrum debate…but is Brexit and the GDPR a conundrum wrapped in an enigma, or nothing much to worry about?

Will leaving the EU make even the slightest difference to the way we have to protect data and adhere to data protection laws like the GDPR?

If you can cope with the use of the B word, please read on as I attempt to find answers on this pressing subject.

Brexit and Data Protection Are Not Mutually Exclusive

As far as we, as consumers and as businesses are concerned, leaving or staying in the EU should have little bearing on how we treat personal data. Any piece of information that can be used to identify us should be held sacrosanct.  A Cybercrime Report from ThreatMetrix gives a useful insight into the situation regarding data and cybercrime. ThreatMetrix looked at billions of transactions, both mobile-based and online, and worked out that the data breaches we have seen in recent years are feeding data back into the cybercrime network. These data are then used to commit fraud by cybercriminals, either using a synthetic identity (i.e. mix and match data to make a new ID) or the real IDs themselves are being used.

This is happening across the world. And, according to the ThreatMetrix report across all industries. Stolen data opens up opportunities for further fraud. So, protecting data, regulations or not, Brexit or no Brexit, should be a fundamental part of any business.

Back to Brexit, where do we stand in terms of data protection? Does it matter if we stay or if we go?

GDPR if the UK Stays in the EU?

The EU data protection regulation the General Data Protection Regulation (GDPR) is arguably the world’s most comprehensive data privacy and protection law. It entered our business and personal lives in May of 2018, with a flurry of ‘opt in’ marketing emails from ecommerce accounts we had long forgotten we had signed up for. It has had a mixed reception, with Deloitte finding that only 35% of EU organizations are compliant with the data breach notification expectations of the GDPR.

The GDPR sets out a number of requirements to allow EU state citizens to control the processing of their personal data. Controls such as access to data, deletion of data, data portability, and so on. The regulation also expects various security measures to be used to protect personal data that is collected and processed.

If the UK stays in the EU, we automatically come under the umbrella of the GDPR as we will still be an EU state. If we do remain, any data that represents a UK citizen will come under the jurisdiction of the EU.

The GDPR sets fines as well, big ones. The largest to date was a fine of £44 million issued to Google by the French Data Protection Authority (CNIL).

Although I don’t have a crystal ball, we should probably expect to leave the EU at some point. So, let’s assume we are going to leave – what then for data protection and the GDPR?

If the UK Leaves the EU: Deal or No Deal?

If the UK leaves the EU, who will protect our personal data? Fear not, the DPA2018 is here!

The Data Protection Act 2018 (DPA2018) is a UK based data protection directive that is overseen by the UK’s Information Commissioner’s Office (ICO). The DPA2018 has many of the same provisions for data protection as the GDPR. The DPA2018 does differ from the GDPR in certain areas. For example, in terms of consent and minors, under the GDPR, consent must be given or authorised by a person with “parental responsibility” for individuals aged 16 and under. Whereas, the DPA2018 specifies that children aged 13 or over can provide their own consent.

The DPA2018 is great for internal UK data sharing concerns. Assuming the UK leaves the EU we still have to abide within the UK to the DPA2018. However, there may be complications when sharing data between EU countries and the UK.

In other words, the deal is the make or break in data protection ease of shift between EU state and not an EU state. The UK, deal or no deal, will have to create a contract between the EU for data sharing purposes.

Data Adequacy and the GDPR

The EU requires something called “data adequacy” when determining any data sharing contract between countries. In other words, are the data protection laws in a given country equivalent to the EU’s own data protection laws? This determines something known as an “adequacy decision”. This is integral to the GDPR and covered under Article 45.

Once the UK leaves the EU, we will become known as a ‘third country”. The result of this status is that the UK will go through various checks to establish an “adequacy level”. This is to ensure that any transfer of EU citizens’ personal data to the UK is compliant with GDPR privacy law.

In establishing this level, the commission will look at areas in the UK such as:

  • the rule of law
  • respect for human rights
  • relevant legislation (DPA2018, for example)
  • defence
  • national security
  • criminal law

This adequacy level will form the basis of the contract we have with the EU in doing any business between two states that is based on personal data.

No Deal or Not No Deal That is the GDPR Question

One of the reasons the GDPR came about was to create a more homogeneous data protection directive that covered all EU states. The UK came under this umbrella as an EU state itself. Now we are leaving the EU, we have to create our own contract between the EU and the UK to meet GDPR privacy regulations.

This is not the end of the world. It can be done, it is done elsewhere, the US-EU Privacy Shield contract is a case in point. Privacy Shield is a contract between the EU and the US to ensure that there is free data flow between US certified companies and the EU. But like any legal contract, a UK-EU data flow contract will no doubt be drawn out.

The alternative is for individual companies to create something called a Standard Contractual Clause (SCC). This may be a useful interim step while waiting for any country-wide contract to settle out.

And don’t forget, just because we are no longer in the EU doesn’t mean that we don’t have to comply with the GDPR. The jurisdiction of the GDPR has a long arm and Article 3 of the directive shows just how wide this scope is.

If you need further advice about the situation, the UK’s ICO has advice on a variety of Brexit scenarios for small businesses.

Share this:

“I heard one cry in the night, and I heard one laugh afterwards. If I cannot forget that, I shall not be able to sleep again.” from Count Magnus by M.R. James

Are you the type of person who switches the lights off when the kids come-a-knocking at Halloween? Or, do you have your tin of sweets beside the door, in readiness when you see their eager little faces? In other words, are you a person who prepares for Halloween?

Halloween can be a fun-time. Our kids, and sometimes, ourselves, dress up in crazy costumes as ghosts and ghouls to celebrate All Hallows’ Day. Dressing up for Halloween is in many ways how cybercriminals operate. These faceless ghouls who can ruin our businesses and lives, haunt our networks with their fileless malware – invisible to many security tools. Like Halloween, we should prepare ourselves for the ghostly manifestations of the cybercriminal coven.

To help, we have gathered here today, some stories of cybercrime that remind us of Halloween in their scary, spooky, and ghostly ways. By knowing what the cyber-ghouls get up to, we can use our magic wand of knowledge to make them go ‘poof’ and disappear.

A Spooky Story of Cybercrime

Do ghosts exist? In the world of cybercrime, they seem to. Cybercriminals like to work by stealth, here is the ghostly way of the threat that won’t go away:

The Advanced Persistent Threat (APT) or Halloween version – Maledictive Presence, uses every trick in the cybercriminals Halloween goodie bag. Starting with surveillance on the chosen target, they learn all they can to get into a system. Next comes spear-phishing or other methods like an infected website (Watering Hole). This provides the means to infect a computer with malware. The malware is often controlled by an outside force (cybercriminal) eventually executing across the network to locate your corporate booty (data). Like a ghost, the APT can be a slow haunting presence that sucks the life (or data) out of a company.

An APT is the Halloween gift that keeps on giving. Research has found that 64% of companies are attacked within 2 years of the first attack. Malware infection can be a persistent threat, the best course of action is not an exorcism, but to not get infected in the first place.

Abandon Hope All Ye Who Enter Here

It was a dark night and the mists rolled in covering the graves like a dance of death. But seriously, account takeover is a big problem. Account takeover is a type of identity theft, like the Death Eaters in Harry Potter, cybercriminals come and take your digital life.

Because of all the data thefts of recent years, one of the easiest ways to perform an account takeover is to drop into the darknet and buy yourself some stolen login credentials. The average number of online accounts we each have is 150. Many of us use the same login credentials to access many of those accounts. Who wouldn’t? Remembering all those passwords would be a Nightmare on Elm Street. Akamai found that around 30 billion attempts were made to reuse stolen credentials in 2018. They also reported that in February 2019, 620 million usernames and passwords, were put up for sale on the darknet.

The Ghost of Christmas Yet to Come

“It was shrouded in a deep black garment, which concealed its head, its face, its form, and left nothing of it visible save one outstretched hand. […] It thrilled [Scrooge] with a vague uncertain horror, to know that behind the mask there were eyes staring at him.”

The spectre of future crimes is always lurking. New technologies like Artificial Intelligence are opening up new opportunities for cybercrime. The latest deepfake-based CEO fraud is a portent of things to come. Although not yet fully confirmed as truly being executed via a fake voice, the CEO in question was duped into handing over around £200,000 to a cybercriminal who pretended to be the boss of the parent company. Technology is an ever-evolving game, and this has created an arms war between the cybercriminals and business. The only way to win the war is to be ever vigilant.

Watch out ZOMBIE ATTACK!

Imagine a world inhabited by the undead? This is not too far from the truth if you are a computer. An attack that turns Windows machines into Zombies is coming to a company laptop near you. Microsoft has discovered a new malware type nicknamed Nodersok. The malware turns your PC into a zombie, controlled by a cybercriminal. The machine becomes an undead slave, and its fileless attack mode means it lives, like a ghost in the machine, sucking the life out of your data and your computer.

A Final Bedtime Halloween Story

What a cybercriminal can do to our identity, our businesses, our reputation, makes your skin creep. Being prepared for Halloween, either by hiding behind the curtains or having your sweet tin filled to the brim, is like being prepared for cybercrime. Security awareness training is a way to fill your sweet tin and prepare for the onslaught of modern cybercrime. The difference, Halloween sweets are loved by kids, but cybersecurity awareness is hated by cybercriminals.  Modern cyber-attacks are like ghosts, they could be there but not seen. Psychics don’t work in computing, but knowledge does.

To arm your staff with the digital equivalent of garlic and a cross, you have to teach them how to spot the tell-tale signs of scams and phishing. You also have to give them the weapons of know-how. What is a robust password, what is the point of a clean desk, and so on. When dealing with the deadly spectre of cybercrime, the best weapon is to know thy enemy.

“I’d dearly like to meet you Count Magnus.” Says Mr, Wraxall in the story of Count Magnus by M.R. James. The sarcophagus then beings to open…

Let’s keep that sarcophagus shut by staying cyber-safe and security aware.

 

Share this:

In 2017, Equifax hit the headlines when over 147 million customers had their account data exposed. The attack has gone down in history as one of the most damaging; not just for people, like you and me, who had our personal data put up for sale on the darknet. No, this breach has hit home hard. Firstly, the ex-CIO Jun Ying, ended up with a 4-month jail sentence for insider trading, when he sold off shares before telling the rest of us about the breach.

And now…just when it feels like it can’t possibly get worse, Equifax has done it again and shocked us with some of the worst security practises, ever!

Digging a Security Hole: Where Equifax Went Wrong

After the data breach, there were fines, including one from the UK’s Information Commissioner’s Office (ICO) for £500,000. But beavering away in the background a civil class action was being prepared. The details of this class action are available, and we have read through the shocking FAILS that lead to the Equifax data breach.

Here are some of the details of the civil action file, prepare to roll your eyes to the heavens, it doesn’t get much more horrifying in security than this.

Recognised Security Target

This is important…The action points out that Equifax was fully aware that it was a high-profile target for a cybersecurity attack. The SEC filings specifically point out:

“…it (Equifax) was regularly the target of criminal hackers, and that a cybersecurity incident could subject it to a variety of serious consequences

The file continues stating that Equifax placed a notice on its website that the company applied:

strong data security and confidentiality standards” and maintained “a highly sophisticated data information network that includes advanced security, protections and redundancies.”

The Plaintiff’s Claims

The plaintiff in the case sets out that Equifax, security measures were “grossly inadequate,” and “failed to meet the most basic industry standards.”

The action also levels some eye-opening claims about how poorly managed security was at Equifax.

Patch management

Some poor individual had the lone responsibility to patch the entire network at Equifax. To make matters worse, this person didn’t have any tools to make them aware of vulnerable software. Good practise says that you should automate patching at the least – a large organisation like Equifax had no excuse not to follow best practices.

Encryption of data and data storage

So, lack of patch management is bad enough, but Equifax didn’t even encrypt much of the sensitive data in their care.

And… wait for it…not only was data left unencrypted, but it was on a public-facing website too.

When they did encrypt data, an audit by Deloitte in 2016, found encryption keys left on a public-facing server for anyone to use – a little like leaving your house keys in the lock.

And there is more! The transmission of data over the internet wasn’t encrypted either: Equifax this is security 101!

Any cybercriminal hacking the webserver, could literally gorge on a feast of data.

Authentication

Authentication at this juncture is almost at the ‘what’s the point stage’. However, if you want to know how NOT to do secure login, read on.

We all know that data breaches are common. Yet, Equifax used easily obtainable information such as the four digit pins derived from Social Security numbers (in the U.S.) and birthdays to create passwords.

This lack of robust passwords policy continues in the Equifax saga, as they used

username “admin”

and

password “admin”

To control access to a customer portal that contained large amounts of sensitive data on credit disputes.

Security monitoring

The Equifax data breach was massive, but it could have been contained if the company had at least used simple monitoring techniques that create audit logs. Monitoring network events would have alerted IT to something odd and the breach could have been minimised at least. Instead, the cybercriminals were able to steal data over a 75-day period.

How Not to Do an “Equifax”

As it stands, in the U.S., Equifax has agreed to pay USD 575 million, and possibly up to USD 700 million. In the UK, Hayes Connor Solicitors are handling the group action and are hoping for a £100 million pay-out.

Equifax was warned about their security vulnerabilities but took no action. They even had smaller data breaches in the run-up to the big one – a clear message to batten down the hatches.

Equifax is likely to become the poster child for doing security badly. We can all at least learn from their mistakes. The security failures in the list above are a good place to start in making sure your own network is secure. But don’t forget security awareness training. Even people in the IT department need to have training that is tailored to their role. People’s awareness of security issues is your insurance policy. Well trained staff can help to maintain good practise across all departments.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

One of the favourite fraudster scams is back again. The HM Revenue & Customers (HMRC) Tax Scam is doing the rounds in readiness for tax returns being prepared.

HMRC scams come and go. I had a couple of scam email versions pop into my inbox in September. Those particular examples were of the type that uses an enticing “HMRC owes you £624.39 GBP”. Click here to claim your refund.

If only…

Of course, if you do ‘click here’ you will be taken to a spoof HMRC website which requests you enter your personal and financial details to process the claim.

If you do, your information will be stolen by a cybercriminal and used to commit fraud.

Other HMRC scams use WhatsApp messages and social media posts to offer tax refunds – these are all scams and HMRC do not use those methods to contact customers.

This week’s HMRC tax scam, is however, a little different. This time it’s a brazen phone call.

What is the latest HMRC Tax Scam about?

This particular HMRC Tax Scam is phone-based rather than email. The caller pretends to be a tax inspector calling from the tax office. The caller tells you that you owe tax, and if you do not pay immediately, an arrest warrant will be issued in your name. If you do not pick up, a message with the same threat will be left on your answer phone. The latter happened to me.

You may think, who would fall for that? But people do. In 2018-2019 there were 104,774 of these calls made. If the scammers only manage to trick a small % of those called, it’d be worth it.

If you receive a call that is supposedly from HMRC or any other government department that is threatening, chances are it’s a scam. The HMRC website has a lot of information about what they do and don’t do, and how to recognise HMRC scams.

It is likely that as tax time comes closer, more variants of the HMRC tax scam will appear. The fraudsters use every possible method to get you to click, download, or just give up your hard-earned cash. Do not let them trick you.

 

Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:

 

HMRC Tax Scam 2019

Phone calls that pretend to be from HMRC are being used to attempt to scam people out of money. The caller will say they are chasing up owed tax and if you do not pay a given amount immediately you will be arrested. Beware, this is a scam.

IF YOU RECEIVE A CALL THAT YOU FEEL IS FRAUDULENT HANG UP IMMEDIATELY.

For more information on what to do if you receive a phishing email or other scam check out “What to Do if You Click on a Phishing Link?

Don’t forget to share this with your colleagues and friends and help them stay safe.

Let’s keeping breaking scams!

Share this:

Cyber security training is now a standard part of basic training programmes for most organisations. Children are being taught cybersecurity at schools and, as more and more of our lives are online, it’s something everyone needs to know about. However, despite cyber security being on the menu at most mandatory training sessions, cybercrime is clearly still a huge issue. So much cybercrime is preventable, and yet data breaches and scams occur on a daily basis.

As security awareness training for employees is nearly ubiquitous, why are there still preventable security breaches? Does security awareness training even work?

The short answer is yes, with a disclaimer: not all security awareness training is created equal. An effective security awareness training programme must be regularly updated to match the pace of developments in cybercrime, and – most importantly – it has to be engaging, memorable, and truly change natural patterns of behaviour.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

The Defence Works recognises the importance of staying abreast of ever-changing security concerns; see our blog for updates on the latest scams.

We’ve found that the best way to help people engage with and understand the importance of good cyber security isn’t through standing and lecturing them on how to choose their passwords, but through interactive and adaptive learning tools.

What sort of cybersecurity threats does security awareness help with?

Cybersecurity threats take many forms and are evolving as quickly as the countermeasures against them. Attacks can seriously disrupt any organisation and expose important, sensitive information. Online scams can take many forms, and they’re on the rise. The UK anti-fraud body CIFAS collected a record 305,564 scam reports in 2017. A robust cybersecurity training package can empower employees and service users to recognise and report threats. So which threats can cybersecurity awareness training help keep under control?

  • Phishing emails and scam text messages

People are used to spam emails, and less than a quarter of all emails sent actually get opened. Compare this to a huge 98% of text messages being opened and looked at, consider the amount of sensitive personal information on the average mobile phone, and the rise in directed SMS attacks is understandable. Email providers have developed automatic security measures which screen out a large number of fraudulent emails, though around 25% of phishing emails get past current Office 365 security protocols. The key to avoiding disaster when faced with scam messages, calls, and emails is a combination of strong, up-to-date security software, and an educated, vigilant workforce.

  • Security Hygiene and Accidental Insiders

Good password hygiene is an essential part of cyber security. It’s a point that’s been driven home in every cyber security awareness training session since IT security training began. However, breach analysis found that 23.2 million users’ passwords were set to ‘123456’. Employees have been taught good password hygiene: not to write them down, to choose strong passwords, change them regularly, and have different passwords for different services – so what’s going wrong? It’s never enough to just tell people what to do; true cyber security comes from changing human behaviour long term. Learning through true understanding, by doing, examples, repetition and reward are how we can reinforce what people already know, and make good security second nature.

How Security Awareness Training Helps Keep Your Business Safe

In a recent UK survey of 1,350 people, almost half agreed that information about staying secure online is ‘confusing’. The solution is simple, then: provide easy-to-understand information, designed with real people in mind. The most successful cybercriminals use an understanding of human behaviour; a form of social engineering, to work out how to gain trust and access protected systems and information. Effective education to combat this must also be user-centric, holistic, and realistic.

Good security awareness training encourages safe practice by changing behaviour, through interactive, fun, in the moment training. People learn by doing, and people learn best when they’re enjoying themselves. Our interactive video training teaches the user to recognise scams and fraud, with regular updates to follow trends in cybercrime.

Phishing simulations and roleplay enable learners to practice recognising and responding to threats safely, helping your staff to spot tell-tale signs of phishing, long term.

The Defence Works training also focuses on preventing ‘accidental insider’ data breaches; creating a culture where security is paramount, and employees are empowered to practice good security habits, creating a safer online workforce.

The best security awareness training programmes follow principles developed with the user in mind. Research by The Aberdeen Group found that over 90% of data breaches contained a phishing or social engineering element. The risk of people falling for this kind of attack are vastly reduced by a solid cybersecurity awareness programme, with regular updates to enhance learning and to respond to the changing landscape of threat. An educated workforce can be your strongest defence.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

2019 has seen the largest number of data breaches yet, with a ‘higher than average likelihood’ of cyber-attacks and data theft. In fact, the number of security breaches, cyber-attacks, and amount of data lost has been growing year on year. Threats are being constantly refined and evolve to counter even the best defences.

Data is money, and data is power. The greatest vulnerabilities and targets are not necessarily financial, but those can be measured in their ramifications to personal security. Targets are those organisations which hold a lot of personal data, sensitive, confidential, identifiable and crucial. Governments, local councils, schools, health authorities are all ideal targets for the data-gathering cybercriminal.

The Top Three Attacks Faced by Governments

Sensitive data is at risk from both internal and external forces, and a robust cyber security awareness training programme should give employees a comprehensive awareness of all types of attacks, with regular updates to counter the evolving threats posed to cyber security. Some of the most common threats to government cyber security include:

Ransomware

Ransomware is an insidious threat which withholds essential data from businesses, usually disrupting function until a sum of money is paid – usually in an untraceable form. UK businesses saw a 195% increase in ransomware in a year, wreaking havoc and costing time, money, and trust in businesses.

Governments, councils and other public organisations are just as susceptible to ransomware attacks as private businesses, and such attacks could cause disruption to essential public services as well as functions within the organisation – this adds an extra level of need for a timely resolution, and could increase the likelihood of the organisation giving in to the hackers and paying the ransom.

In a recent example in Texas, cybercriminals shut down operations for a number of local government offices, asking $2.5 million (approx. £2.2 million) for restoration of service. With a prompt and co-ordinated response, the attack was contained with no apparent transfer of money. Although no definite port of entry has been reported, the official response has been to step up cyber security education, ensure password hygiene, second factor authentication, and a vigilant, educated workforce.

Although the culprit entry point is not always identified or reported in the media, we do know that infected emails are still the main source of ransom and other malware, with a like-for-like increase of 365% from 2018 to 2019. Emails are one of the biggest threats to cyber security, but with good practice this threat is almost fully eradicable. The difference between business as usual and a total shutdown could be as simple as teaching employees just not to click on emails they’re not 100% sure about.

Phishing and Spear-Phishing

Spear phishing is a sophisticated, targeted method of stealing data and credentials. Spear phishers gain a deep knowledge of the practices and machinations of an organisation to work out their vulnerabilities, and use this information to create domain names and email addresses similar to those used by real employees and administrators. Spear phishing emails can be extremely convincing, and take advantage of trust between workers to gain access to sensitive data.

– Check out our comedy sketch on Phishing Emails in Real life from our hilarious Sketches security awareness training series:

In the run up to the EU elections in May, spear phishing campaigns were used by Russian cybercriminals, targeting several European governments. Domain names and email addresses were created which closely mirrored those of trusted co-workers. The intimate knowledge needed to create these fake accounts is one of the more disturbing aspects of this kind of attack, yet with regular security awareness updates, employees can be confident when identifying these threats.

Accidental Insider Threats

Accidental leak of data is another major issue for governments and other organisations dealing with sensitive data. Simple, non-malicious human error is still thought to be the biggest cause of data loss. The wrong address on an email, unencrypted files, even just misplacing physical equipment is all too common, and incredibly easy to prevent.

The high-profile incident in 2017 where a member of the public found a USB containing all of the security information for Heathrow airport is a case in point: why was the information unencrypted? Why was so much sensitive data on a single small, easily-misplaced physical vessel? There are a multitude of simple layers of protection that could – should – have been applied to this data which would have completely averted this potentially catastrophic security breach.

The Case for Security Awareness Training

Threats to cyber security ultimately come from people, whether faceless cyber criminals, insider attacks or just mistakes, and many vulnerabilities depend on human error or an overly-relaxed attitude to cyber security. Cybercriminals’ greatest weapon is a good understanding of human behaviour – understanding the curiosity that makes one in two users click that link in an email, the poor-quality password, or failing to set up second-factor authentication – if it can be put off until next time, it might never get done.

The greatest weapon in our arsenal against cyber-attacks is also human behaviour. With education, with understanding, and with a strong cyber security awareness training programme, our employees are our best defence system.

In their 2018 report on Cybercrime and the Internet of Threats, research consultancy firm Juniper stated that ‘all businesses need to be aware of the holistic nature of cybercrime and, in turn, act holistically in their mitigation attempts’. This means that every link in the chain of protection must be robust, and that human factors need to be recognised as paramount when it comes to fighting cybercrime. Furthermore, ‘as social engineering continues unabated, the use of human-centric security tactics needs to take hold in enterprise security’; real people, the workforce, has potential to be either the weakest or the strongest part of cyber defence.

The best way to reduce the risk of human error is to enable your workforce to make that difference, to help them feel confident both in their own online presence and in the event of an attempted cyber-attack. Education and regular updates mean a competent, vigilant and empowered workforce: your greatest defence.

Share this: