Cybersecurity breaches take us away from our core business, cost money, take time to resolve, and can be damaging to reputation. So, it is important to make sure you have battened down the hatches by putting measures in place to avoid a cybersecurity breach.
Avoiding a cybersecurity breach is as much about good housekeeping as it is about technology. Here, we look at some industry acknowledged best practices on protecting your organization against cyber-attacks.
Cybersecurity Attack Prevention 101
Cyber-attacks come in many guises, but one thing is true. In some form or another, cybercriminals need a human being to press the big red “don’t press” button.
At some juncture in the life history of a cyber-attack, someone somewhere has made a misstep. This could be a misconfiguration of a database setting, leaving it vulnerable, or, as is common, clicking a malicious link in a phishing email.
There are some basic principles of cybersecurity 101 to consider putting into practice:
Be aware of the tricks of the cybersecurity trade
Because the human-factor is so key in making cybersecurity attacks work, the fundamental best practice is security awareness.
Make sure that all of your staff, from board level to IT department to shop floor are all aware of the tricks that fraudsters and other cybercriminals play.
In 75% of cases, organisations found that employees simply did not understand what best practice was when it came to correct behaviours in cybersecurity and data privacy.[1]
Security awareness training offers a series of teaching aids that engage your staff in the subject of cybercrime. However, not all security awareness training is equal. The training can be dry and, frankly, boring. An effective training package must be fun and highly interactive. This allows your organisation to create feedback loops, giving you information on how successful, or not, the training is. This feedback is also vital in recognising which employees and which types of cyber-attacks are most likely to cause issues in your company.
Put strong and robust authentication in place
Cyber-attacks often depend on getting access to something. This is often done through phishing emails or texts (SMShing).
Often, those with high-privileges, allowing them access to resources like databases and servers, can be spear-phished, i.e., they are targeted with tailored phishing messages that look real. The result is a stolen credential, usually a password. The use of phishing and stolen credentials for cybercrime is backed up by evidence from the 2019 Verizon Data Breach Investigation Report (DBIR). The report found that phishing and stolen credentials made up 29% and 32% of breaches causes, respectively.[2]
Wherever possible ensure that password policies follow good guidelines as advised by the UK’s National Cyber Security Centre (NSCC). And, if available, add in at least a second factor, typically this will be an SMS text or other mobile code. If appropriate use risk-based authentication which applies stricter login credentials if the login is deemed to be riskier. [3]
Form good network cyber-hygiene habits
Backing up all of your good work with employee security awareness training should be good practice across your extended network. That is, from your server down to the mobile devices staff use at work. Look at:
- Good practice policies for ensuring the principles of good security are followed when configuring databases and access to apps
- Prompt security patch application across the network
- Knowing your data lifecycle – where it is generated, stored, transmitted from and to
- Use a secure, ransomware-resistant, back-up
Tools of the security trade
In addition to having good network hygiene habits, you will need the tools of the security trade to back these up. Tools such as:
- Spam filters
- Encryption
- Web application firewalls
- Anti-malware protection
- Endpoint Defence and Response (EDR) tools
Ultimately, avoiding cybersecurity breaches is about having all of the above structures in place. No single solution is a silver-bullet. But used together, they form a strong defence against a cyber-attack.
How to Avoid Phishing scams
Phishing scams are still the most popular cyber-attack method because they work. You cannot avoid them using technology alone. Whilst spam filters can prevent some phishing emails from getting through, cybercriminals are an inventive lot. They continually look at ways to circumvent spam filters. For example, phishing emails with malicious links are often caught by spam filters, so the fraudsters use an attachment instead – the attachment containing the malicious link.
The best way to avoid a phishing scam is to teach your entire workforce about what phishing entails and how it works.
Phishing Mechanisms
Types of phishing techniques used:
- Emails that contain malicious links – clicking on the link goes to either a malware-infected website or attempts to steal sensitive and/or financial data from the individual.
- Emails that contain a malicious attachment – the attachment may be infected with malware or contain a malicious link to a spoof site
- Text messages that contain malicious links (SMShing)
- Mobile app messages, e.g. using WhatsApp, that contain malicious links
- Voice calls to extract information, and/or, illicit a financial transfer to a fraudster bank account (Vishing)
- Social media posts that contain malicious links
Spear Phishing
Spear phishing is a highly targeted form of phishing. The cybercriminals behind the phish will have surveyed your organization and know who to go after. Typically, this will be a system administrator or someone in the finances department. The phishing email or vishing call will use this intelligence to exact the phish, stealing data, login credentials, or initiating a money transfer to a fraudster’s bank account.
As you can see, virtually any communication method used in the modern digital world is exploited as a means to carry-out phishing. Any security awareness training package must acknowledge all of these methods. Security awareness training is also a regular event as cybercriminals are very good at keeping up to date with any changes in the digital landscape.
Phishing Tricks and Tell-Tale Signs
Things to watch out for that are giveaways of a phishing scam:
-
Poor grammar and spelling
Phishing emails, in particular, are often badly composed and have spelling mistakes. Phishing emails typically use well-known brands to trick users into trusting the email. Well-known brands are usually very exact in the language they use. So, poor grammar and spelling are dead giveaways of the phish.
-
Urgency and/or warnings galore
Fraudsters play on human fear by using warnings in the phishing emails. Typical examples include a security issue with an online account or loss of access to a bank account. The phishing email then prompts you to click a link or download and open an attachment to fix the issue.
-
Rewards, offers, wins, and vouchers
Another fraudster ploy is to trick you into thinking you’ve won something or are the beneficiary of a great “must not miss” offer. Other similar rouses are tax owed phishing emails.
-
Trust in brands
Often, all of the above tricks are wrapped up in a well-known branded email. Typical brands loved by cybercriminals are PayPal, Microsoft, Amazon, and local tax departments like the Inland Revenue in the UK.
-
The big event
Phishing emails often coincide with events. Tax season, for example, usually sees a flurry of tax-related phishing scams. Other events, such as Black Friday will see phishing emails and texts offering amazing discounts, with a ‘click here’ to redeem a voucher, and so on.
Other checks to see if the email is phishing you:
- Is the salutation personalised? Remember, fraudsters can take your email address and make it look more personal, e.g. smith@myemail.com would become “Dear john.smith”
- Is the sender’s email address suspicious – does the domain in the email address look real? Remember, fraudsters can make domains look almost like the real one, e.g., name@microosft.com (a small misspelling like this can easily be missed unless you are vigilant)
- If you hang your cursor over the URL of a link, does it look suspicious?
Other Types of Cybercrime Scams
Whilst email phishing is a major scam type, there are many other phishing scams. Teaching your staff about these scams can help both them as individuals as well as your organization.
Vishing
This is a phone call version of phishing and is popular for financial theft. Whilst it has been more associated with individuals at home, vishing has found a home in the scam of Business Email Compromise too. Here, a fraudster will pretend to be a high-level executive of a company and trick an employee, usually someone in account payable, into completing a money transfer (into the fraudsters account).
To avoid being a vishing victim, your organisation should:
- Teach employees about vishing and how it is a serious threat
- Tactics used by vishing fraudsters to trick you into believing it is a legitimate call. This can include:
- Use a spoofed phone number that looks like the real number
- If you don’t answer the fraudster will often leave a voice mail. Sometimes, depending on the type of vishing scam, the voice mail message may threaten police action.
- A vishing bank scam will pretend to be from your bank. The caller may say you have an issue with your account, and you must transfer money to a ‘safe’ account to prevent a mishap.
- Leaving the line open so that even if you hang up and attempt to call the real number to check the call, that call will be intercepted. In effect, you will be back in the hands of the fraudster.
General Tips to Avoid Vishing
- Step back and take a deep breath. The caller will try to create a high-level of ‘fear, uncertainty, and doubt’ in your mind.
- Never give out financial or personal details on a phone call unless you are 100% sure the caller is legitimate.
- You can always call back from a separate line to double-check the call legitimacy. However, BE AWARE, if you call from the same phone, the fraudster may have kept the line open and you’ll be talking to the cybercriminal.
- Make sure that you have an email address and phone number recorded with your bank so they can send you messages if any unusual bank activity occurs.
- At work, have procedures in place for money transfers, for example, if a transfer is over £x, use a double-check system before the proceed button is pressed.
- Avoid oversharing online. Fraudsters trawl social media and other sites to find out information on their targets.
Social Media Phishing
Increasingly, social platforms are being used as ways to phish people. Social media platforms, from Facebook to LinkedIn to TikTok are being used perpetuate cybercrime, including as a way to send out phishing messages. Watch out for these tricks on social media to help avoid being a social phishing victim:
- Shortened URLs. These shortened versions of web addresses are being used to trick users into thinking they are legitimate.[4]
- Impersonation of famous people and brands. Used on social media to instil trust and encourage followers to click links or give personal information
- Trawling for data. People often put personal data including full name, date of birth, even phone numbers in public forums. Cybercriminals trawl for these data to perpetrate cybercrimes.
- Money mule recruitment. Social platforms like Instagram are used to trick people into becoming a money mule. The fraudster will offer hundreds of ££ if you allow them to use your bank account to do money transfers. In 2019, Europol made 228 money mule arrests preventing around £12 million in losses.[5]
Whatever flavour of phishing and cybercrime you are attempting to prevent, the starting point must be awareness. Understanding the tricks of the cybercriminal trade gives you an advance warning that you are being scammed. Putting some best practises like security awareness training in place, will help you to fight against the fraudsters tricks and keep your employees and company cyber-safe.
[1] MediaPro: https://pages.mediapro.com/2018-State-of-Privacy-Security-Awareness.html
[2] 2019 Verizon Data Breach Investigation Report : https://enterprise.verizon.com/en-gb/resources/reports/dbir/
[3] NCSC: https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
[4] Page, S., et.al., Using URL Shorteners to Compare Phishing and Malware Attacks: https://docs.apwg.org/ecrimeresearch/2018/5351273.pdf
[5] Europol: https://www.europol.europa.eu/newsroom/news/228-arrests-and-over-3800-money-mules-identified-in-global-action-against-money-laundering