Human actions can cause significant cyber risks in your business – in fact, 80% of cyber breaches are a result of human error. This can be due to a lack of awareness with cyber security best practises, unnecessary access to company information and data, or in worst cases, malicious intent. Being able to identify the vulnerabilities in your human firewall and then resolving these, will mitigate your company risk and prevent future cyber-attacks.
Risk One: Phishing
Phishing is a cyber-criminal tactic used to deceive individuals into clicking malicious links, or downloading dangerous attachments, embedded into electronic communications. Phishing attempts have always been a significant threat to individuals and businesses alike, however, the pandemic has only accelerated this, as most organisations have adopted remote working over the past two years.
Phishing is now the second most common initial attack, accounting for 17% of attack attempts. This has moved up from fourth position (2020) and has an average global cost of $4.65m. Phishing has a high success rate, and they are an easy, yet extremely effective, method used by cyber criminals to infiltrate your data, devices, and finances. A study showed that a total of 47% of employees fell for a phishing scam due to working-at-home distractions.
As phishing poses a huge threat to your organisation, it is imperative your workforce understands how to identify and handle phishing attempts to mitigate your organisational risk level.
One of the most effective ways you can strengthen your human firewall is through regular awareness training and phishing simulations. In fact, businesses can see a 70% reduction in socially-engineered cyber threats when regular cyber awareness training is implemented. Including scheduled phishing simulations to this will help with putting that knowledge to the test and help employees remain vigilant of phishing communications.
Risk Two: Poor Password Management
Poor handling of login credentials, or insecure password choices, can lead to cyber criminals exploiting your company accounts and gathering sensitive information.
In the UK, 64% of people reuse passwords over multiple accounts, and 59% of people do not change their password even after a breach has been reported. Compromised accounts are a huge threat to organisations, as this can lead to mass data breaches. According to IBM Security’s ‘Cost of a Data Breach Report 2021’, the most frequent, initial attack vector was compromised credentials (accounting for 20% of breaches in 2021), compromised business email accounts were responsible for only 4% of breaches, yet had the highest average total cost at $5.01m.
Keeping your login credentials secure and complex is a great way to ensure your accounts are protected. It is now best practice to implement a password manager across your company operations for staff members to store multiple login credentials in a secure location.
Additionally, introducing multi-factor authentication across your organisation will provide an additional step of identity verification before accessing emails, social media accounts, company portals, and sensitive data. Google found that not one of its 85,000+ employees had a compromised account since introducing mandatory MFA across their operations.
It is also best practise to ensure when you are entering your login credentials or conducting company activities, that you do this over a secure internet connection. Using public Wi-Fi networks can lead to compromised accounts and devices as these are usually unencrypted and anyone can join them. If an attack was connected to the same Wi-Fi connection as you, they could easily intercept your device and gather sensitive information.
Risk Three: Malicious Insiders and Unwitting Employees
As much as businesses would like to trust their employees and believe they hold no ill will against the organisation, this is unfortunately not always the case – the third costliest initial attack vector according to IBM Security’s ‘Cost of a Data Breach Report 2021’ at $4.61m.
Malicious insiders and unwitting employees are particularly dangerous to organisations as they already hold some level of access to company accounts, data, office premises, and in some cases, finances.Even if an employee was to leave your company for a new job elsewhere, if they take your company data hoping this will aid them in their new career, this would be classed as a data breach and could cause harm to your organisation.
Of course, it would be easier to give everybody in your organisation access to all company accounts and data, but this can lead to huge cyber risks. Implementing measures such as the Principle of Least Privilege, were only particular individuals have access to certain accounts and data. This means, if an employee was to fall victim to a phishing attack, for instance, the damage could be limited if their account had restricted access to company data.
Additionally, as many employees are now accessing company accounts and information from personal devices and networks due to remote working, it is best practise for organisations to implement a BYOD scheme to track which devices have access to company information.
Risk Four: Social Engineering
Social engineers are those who seek to deceive or mislead you into revealing sensitive information. A social engineering attack may be verbal, physical, digital, or a combination of all three. In many cases, social engineers will build a profile around the individual they are aiming to deceive to help make their lie more convincing.
A common example of this would be looking up information on someone from their public social media accounts. Social engineers are also known for gaining unauthorised access to office buildings in order to steal data, compromise the network, or plant infected hardware around the premises.
In order to identify and protect a social engineering attempt, it is important to know what is best practise when handling unauthorised visits. Always verify that the person is who they say they are, by checking ID badges and confirming they have a meeting with an employee at your place of work. Never allow visitors to wonder around the office alone, or allow them to access unauthorised areas without a chaperone.
At Mitigate Cyber, not only do offer services that secure and monitor your devices, but we also provide solutions that protect and train your people. From cyber security awareness training, bespoke phishing campaigns tailored to your organisation, and social engineering consultancy, we help transform your staff into a resilient first line of defence against cyber attacks.
For more information, or to speak to a Mitigate Cyber expert, get in touch using the link below.