According to Cisco’s 2018 Security Capabilities Benchmark Study, small-to-medium-sized businesses (SMBs) said they were “most concerned” by targeted attacks, ransomware and Distributed Denial-of-Service (DDoS) attacks.
In a different study (by the Ponemon Institute), SMBs reported that cyber attacks were not just becoming more complex and damaging, but increasingly targeted.
SMBs Believe Cyber Attacks are Becoming More Complex and Targeted
Question: Perceptions about cyber attacks against their companies
Source: Ponemon Institute via CSR
It appears that the “targeted” aspect refers to social engineering, which is a cyber attack type that exploits the user’s lack of awareness about the threat.
For example, many phishing attacks will involve a fake webpage that pretends to be a user login portal of a bank. If the end-user is unable to spot the difference(s), then they are at massive risk of giving up their username and/or password to the attacker.
A related form is spear-phishing. In this, the attacker will send an email to the end-user with a file attachment-based virus or as part of a sophisticated scheme (to get money or information).
In its study, the Ponemon Institute learned that social engineering attacks were by far the most prevalent means of delivering ransomware to SMBs. Spoofed (fake) websites are second.
Most Prevalent Methods of Delivering Ransomware to SMBs
Source: Ponemon Institute (via CSR)
By relying on social engineering, it’s clear that cyber attackers are targeting your employees.
In fact, these attackers are preying on the fact that your staff might not recognize spoofed web pages, malicious attachments, false emails and other tricks.
Having the Right Technology isn’t Enough
You’re entirely correct in believing in antivirus software and firewalls. These technologies help filter-out high-risk or malicious traffic and isolate virus installs from your IT system.
Simply put, antivirus software and firewalls are essential.
But they’re not enough!
The weakest link in any cyber security system, no matter how much is spent on its systems, is its end-user — i.e., your employee(s).
Yes, a next-generation firewall (NGFW) can prevent many fake or suspicious web pages from reaching your staff, but there’s always a risk of something slipping through. If your employees are unable to recognize that page for the threat that it is, they’ll undo your investment in clicks.
You cannot afford any knowledge gaps in your cyber security staff; so, how do we fix it?
Train Your Staff to Block Hackers, Not Let Them In
End User Cyber Security Training for Employees is Key
In our experience, end user cyber security training is the quickest and most cost-effective method of improving your cyber security posture. In effect, training will achieve the biggest cyber security gains in the least amount of time.
To achieve these gains, you must train your staff on the following:
The success of a phishing or spear-phishing attack is entirely based on whether the end-user falls for it. So to stop a phishing attack from succeeding, you must train your end-users to not get fooled by them.
For example, they should know how to differentiate false web pages from legitimate ones (e.g., look at the URL, look for security alerts on the URL tab, etc). Regarding spear-phishing, staff should recognize false email addresses or, if they are unsure, know when to verify or escalate suspicious messages instead of interacting with them.
You should complement your training with processes. Yes, employees have a responsibility to not fall for phishing and spear-phishing attacks, but you can make the situation (for your staff as well as your business) easier by preventing those critical moments where possible.
First, start with a cyber-use policy that prohibits your staff from irresponsibly using corporate IT assets. You should prohibit your staff from browsing on high-risk websites, downloading pirated media, installing unauthorized applications and logging in from unsecured networks.
Second, you should use solutions such as NGFWs to filter traffic from malicious and high-risk sources and, in case of an employee mistake, try and block malicious software installs.
Ultimately, your employees need to understand and accept their limits at the workplace. Once these limitations are in place, you will reduce the amount of potential exposure to cyber risk.
You should train your employees to know how to take care of company devices.
For example, they should be in the habit of using PIN codes (and, where possible, biometric authentication) keep other users away from their phones and computers. Likewise, in case they lose a device, they should inform your IT department (so that it can remote-wipe those devices).
As part of your cyber security training, you must teach your staff to not set weak and predictable passwords, such as “admin” or “123”. Interestingly, even large entities have trouble with this; for example, the data of over 100 people in Equifax was guarded by the password, “admin”.
Not only should you train your employees on passwords, but you should give tools that make it possible to have many strong passwords. Provide them with a password management tool such as LastPass to store their passwords and a Password Strength Checker.
You should also have multi-factor authentication (MFA) in place to serve as last line of defence in case passwords leak or are compromised.
You can train your employees to use MFA to see which logins were legitimate and how to identify suspicious ones (e.g., look for the location or time of the login).
- What is Cyber Security Training and How Does It Improve IT Security?
- How Your Employees are Your Biggest Cyber Security Risk
First Steps to End User Cyber Security Training
You should start by consulting a company with proven cyber security experience, especially with supporting SMBs in your industry. In this case, your provider will have a curricula in place that it can implement right away.
In addition, you should follow-up your training to ensure that your staff’s security knowledge is also retained. In fact, because the cyber threat landscape is constantly evolving, you must train on a regular (e.g., annual, quarterly, etc) basis. Your new hires will also need to be trained.
In other words, cyber security training should be a regular feature of your company processes. As part of that, you should also run tests — such as simulated phishing or spear-phishing — to both gauge your employees and enable them to understand their own weaknesses, such as our cyber security assessment.
Power Consulting has over 25 years of experience managing the IT needs of SMBs in complex and highly regulated industries. Our IT Security solutions combine cybersecurity systems, processes, and training into one package at a reliable, flat-rate price.
Contact us today to get started.
- The Complete Guide to Cybersecurity for Small to Medium Sized Businesses
- How to Create a Business Continuity Plan
- Managing Cyber Security Internally VS. Outsourcing to a Provider
- Top 7 SMB Cyber Security Trends in 2019
- How Managed Cyber Security can Protect You Against Cyber Threats
- What’s The Cost of Managed IT Services & How to Manage The Costs
- Is your Managed Service Provider Secure?
- How to Prevent Ransomware Attacks