It’s time to leap into action with our spring IT Security Update! Our security expert Jamie is urging you to act this quarter and ensure that all your staff receive cyber security training – so that your organisation avoids being caught out by a data breach created by human error.
Did you know that human error is the leading cause of cyber security breaches.
Yes - your members of staff, not IT equipment/services, are the weakest links in your organisation.
In fact, according to a study by IBM, human error is the main cause of 95% of cybersecurity breaches – and so if it was somehow eliminated entirely, then 19 out of 20 incidents could potentially be avoided! Additionally, researchers from Stanford University and a top cyber security organization found a similar statistic, quoting that approximately 88% of all data breaches are caused by an employee mistake. So, it appears that end users are very much the driving force behind a huge majority of cybersecurity issues.
However, the answer to this huge IT security problem is simple. Cyber security training!
Regular, aggressive, (perhaps a little strong) and focused training.
Although, whilst it feels like it should be such a simple thing to achieve, apparently in practice it isn’t.
A random figure from the internet suggests that only 17% of UK organisations had training or awareness-raising sessions on cyber security in the last 12 months. That’s terrifying, but if I had to place a wager on it, I’d suggest that the real figure is likely to be lower, not higher.
Why is this?
Why do businesses spend good money on various IT security solutions, but fail to address one of the main causes of all cyber incidents?
Most successful hacks involve social engineering (Between 70-90% of the time). Social engineering is a threat actor targeting a user or users into revealing specific information or getting them to carry out specific actions for nefarious reasons. One of the most common forms of social engineering is phishing (when hackers attempt to trick end-users into doing the wrong thing on an email, such as download malware).
I assume the main factor as to why human error isn’t being addressed is cost followed by the time invested to train users. The question though, is can your company afford not to?
I hope you find the below free advice interesting and helpful. At the very least I hope that it prompts you to think about putting together a brief training session for your staff, perhaps using it as an example. Or why not send an email broadcast to your staff or bring it up in the next staff meeting when you have a captive audience?
Here’s the example…
A high number of us by now have at one point probably seen an e-mail from a known contact saying, ‘click this link’, or ‘open this document’. If you’ve seen one of these, the likelihood is that the sender’s account had been compromised. It’s relatively common that once an account has had its information stolen (think stolen copies of whole mailboxes), the threat actor will email all contacts with a similar phishing e-mail to try and gain access to more accounts.
So back to the example e-mail that’s arrived in your inbox, from a known contact…
A relatively high number of the people reading this that have seen one, probably deleted this e-mail without clicking (Yay!). You've passed this round… but rest assured the threat actors have far better ploys up their sleeves.
There will be a smaller number that replied, asking if the link was meant for them, (This is where the bad guy then replies from the compromised sender’s account saying ‘yes it was for you and is safe to open’) and so the users went ahead and clicked on the malicious link.
There will be a smaller number still that clicked the link without too much thought, (for example, they had recently spoken to the user and although they weren’t expecting anything, it’s not a complete shock to see an e-mail from them).
Some of those users that, having opened or clicked on something that didn’t give them the expected result, will actively do something about it and report it. How many of you know who you should report this incident to and just how urgent it can be?
A smaller number won’t say anything. Nothing happened right? So, all is okay. No malicious intent, the users are just busy, don’t want to cause a fuss and don’t understand the implications. Costly!
I’m sure that I could come up with plenty of other ways that this example could play out, but I’m writing an article, not a book, and so I think you get the idea…
Cyber criminals are becoming smarter. Why? Because they are using the latest techniques and continuously learning (or in some cases are using AI to come up with templates!) If the bad guys are learning, users must continue to learn too.
Again, I hope that you have found the above helpful. If you have any questions about your IT security needs, or you would like to take things a step further and have Net Technical deliver phishing awareness testing and training to your team, please contact your Account Manager or e-mail firstname.lastname@example.org.
PS if you’re interested in a free cybersecurity course to try, then here’s a good one by the NCSC: Top tips for staff - Overview (ncsc.gov.uk)
Click here for more information on our IT Support and IT Services in Surrey, Hampshire and beyond.