Martin Roots, Managing Director at the Expede Group, discusses cybersecurity awareness, walking us through different cyber attacks and how to prevent them efficiently
Cybersecurity awareness has never been more important. Over recent years, cybercrime, accelerated by the covid crisis, has reportedly increased by over 600%. Almost half of businesses (46%) and a quarter of charities/organisations (26%) report having cybersecurity breaches in the past 12 months alone. The numbers will be even higher as many crimes go undetected. The cost to businesses is huge: Ransomware attacks cost UK businesses £71 million in downtime alone, and a phishing attack to a mid-sized organisation costs £1.3 million on average. Cybercrime is arguably the world’s biggest criminal growth industry, with an expected toll of over £5 trillion globally.
95% of cybersecurity issues can be traced to Human error, states the World Economic Forum Global Risk Report 2022
The major problem is not always due to lacklustre cybersecurity systems or defences. In fact, over 90% of cyber-crime incidents are now caused by criminals targeting staff. This is often through phishing attacks, where individuals are targeted with fraudulent communication that tricks them into clicking bad links, handing over sensitive information, or installing malware.
These attacks are easily preventable. 97% of people around the globe cannot identify a phishing email, and 74% would download a potentially malicious file because they lack the cybersecurity awareness to spot and prevent it. If staff were given appropriate training, it would rapidly cut down the number of data breaches and successful phishing attacks.
Cybersecurity Awareness Month is a great time to educate yourself and your users
Human error is by far the biggest cause of security incidents and tack- ling this is key for reducing attacks. Security Awareness Training is by far the best place to start. Training users with the information required to recognise (and react to) cyber threats, will cut the problem off right at the source, and immediately prevent cyber-attacks from developing in the first place.
What are the types of attacks?
All businesses are at constant risk of cybercrime, and attacks come through various channels and in different guises.
Phishing
Phishing is one of the most common forms of cyber-attack. Most users have a business email. Phishing emails sent to these accounts can be extremely convincing. In the past few years, phishing attacks have increased by over 100%, and with an increase in remote working and the requirement to constantly be clicking links to shared content or portals, it can make it easy to fall victim.
Overall, phishing relies on a lack of understanding. Most people can’t identify a phishing email. If staff have the correct training to understand how to tell if an email is fake, including looking at link URLs before clicking, examining the ‘from’ address to ensure it is genuine, and checking for obvious signs of foul play, then phishing attacks could be almost completely avoided.
Malware
Malware refers to any type of malicious software designed to harm or exploit a device or network. Malware attacks require a certain type of software to be installed onto a device, which usually means a user must click on a link or visit a rogue site. Without even realising it, the user can then be compromised, and their device is no longer safe.
There are several malware attacks, including MITM (man-in-the-middle), trojan horses, ransomware, spyware, and more. Ransomware attacks are some of the costliest, where systems are taken down by hackers and not returned until a ransom fee is paid.
From a user’s perspective, malware such as spyware and keyloggers can be used to steal passwords, emails, and other personal data.
The best way to prevent malware attacks again is through education. If a user knows what to look out for, understands the precautions they should take, and can see potentially compromised links before clicking on them, then most malware attacks could be prevented. Of course, having the correct device security and protection is important, but without an understanding of malware in the first place, a user can never be completely safe from attack.
Password Security
Hackers don’t just use spyware to steal your passwords and data, poor passwords can be hacked physically or with a program, without even need- ing malware on your computer. Over 60% of people use the same pass- word for multiple accounts, meaning a hacked or leaked password could cause severe damage to the victim.
DDoS Attack
Although human error is involved in most cyber-attacks, this is not always the case. Sometimes a targeted attack can occur that is not so easily avoided. A distributed denial-of-service (DDoS) attack happens when systems and servers are overwhelmed by hackers to the point where they can simply no longer operate, resulting in entire networks, websites, or learning platforms being shut down.
Many DDoS attacks occur through compromised devices within the network, meaning malware has probably been installed on them before the attack takes place.
Awareness Campaigns & Training
It is estimated that between 85-95% of all breaches are due to human error.The easiest, fastest, and most afford- able way for organisation to combat cybersecurity issues is through awareness campaigns and cyber- security awareness training – through improving the capabilities of the ‘human firewall’ and developing a cybersecurity-aware culture.
What are awareness campaigns?
Security awareness campaigns are efforts designed to improve cyber- security knowledge amongst users within an organisation. They educate users about the cybersecurity land- scape, help raise awareness of threats, and teaches users how to avoid cyber- attacks as best as possible. The idea is to create a ‘culture of security compliance’ within an organisation, putting cybersecurity at the forefront of users’ minds when using a device or accessing their email.
Cybersecurity campaigns go much further than an educational one-off. Campaigns should aim to put cybersecurity as a key part of the organisation, receiving appropriate investment, regular discussions/updates, and be tailored to each user’s role and security level.
At Expede, we work with several security awareness training partners that take different approaches – from supplying the platform and content for your teams to managing campaigns. to those that provide a fully managed service.
One such partner, KnowBe4, has pulled together a set of resources that you can use to help your users make smarter security decisions during Cybersecurity Awareness Month and beyond.
You’ll get:
Access to free resources for you including KnowBe4’s most popular on-demand webinar and whitepaper.
Resources to help you plan your activities, including your Cybersecurity Awareness Month Guide and Cybersecurity Awareness Weekly Planner.
New featured interactive training module for your users: “2022 Social Engineering Red Flags,” plus 3 additional interactive training modules, all available in multiple languages. Resources to share with your users including training videos, security docs, tip sheets, security hints and tips newsletters, plus posters and digital signage assets, all available in multiple languages.
All assets are printable and available digitally, so they can be delivered to your users no matter where they are working from.
If you’d like to get in touch to find out how the team at Expede can help deliver the right cybersecurity awareness programme for you, email your Virtual Chief Information Security Officer at vciso@expede.consulting
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.