Users can be a weak link in an organization’s overall cybersecurity defence effort, but they are a vital part of the business ecosystem. As cybersecurity professionals, it has long been our job to recognise the traps and pitfalls that litter the Internet. However, many users remain unaware of the risks.
Securing an organization requires many layers of protection. However, some threats appear so fast that despite our best preparations and intentions, something still has a chance to slip through undetected.
Users are naturally inquisitive. Arming them with pertinent information will bolster cyber defences for the organization to remain one step ahead. Increased awareness and knowledge will make them better prepared.
Threats appear in many different forms. Common ones are phishing attacks that try to steal credentials (these may target a finance department tricking users into unknowingly giving out corporate banking details); as well as malware laden attachments in emails. Many organizations permit their users to access personal email from a work computer, primarily because they don’t explicitly prevent it. Opening a booby-trapped message can cause a workstation to become infected and spread a virus across the network. This is a very high risk if the anti-virus is not up to date, or the anti-virus developers have not yet released an update to counter the threat. Such challenges also occur at home. Any individual can also infect a flash drive via their personal equipment if the malware is so designed. If they later use the flash drive at work, they can infect the organization’s digital infrastructure.
A very recent phishing attack that tried to impersonate Barclays Bank attempted to trick users into handing over their credentials. A text/sms message was sent to mobile phones in a shotgun approach (i.e. blast it out there and hope for a hit). The message read as follows:
“We have identified some unusual activity on your online Banking. Please login here https.www.barclay-co-uk.com to verify your identity.”
Such attempts are common via text/sms and email alike. Bear in mind that the real link would be “https://www.barclays.co.uk”, so this is a well disguised attempt to get clicks. More so because many will always trust https links.
Social engineering scams like this can be perpetrated against users in their work and private capacities. As cybersecurity is not a core part of their job, they are often unaware of the less than obvious threats. To establish a smarter workforce, awareness training exercises are well advised. Ongoing micro updates will retain their vigilance, whilst new and relevant content can address the evolution and creativity of emerging threats.
Simply stated: a smarter workforce means a better cyber defence, and therefore a safer organization.