Think Before You Click
Cyber security awareness is key for business.
From a cyber security standpoint, the one behavior that leads to more headaches than any other for small or midsize businesses is people clicking (or otherwise acting) on things in emails that they shouldn’t.
The IT team can help: Certainly scanning email for malware or signs of phishing is a must. Other techniques that detect and take action on the presence of malware on a computer or network have also proved effective, but there is only so much that anyone can do technically to mitigate the potential impact of email attacks.
Threats are more sophisticated by the day.
Cryptolocker attacks (malware that begins attacking computers running Microsoft Windows via infected email attachments) and its variants have been the most notorious, harmful and seemingly profitable exploit in cyber attacks in recent years. Initially the broad attacks came as email attachments with enough general context to make them seem legitimate, but later the attachments were replaced with links to commonly used file-sharing apps. In both cases, simply opening the file could potentially render all of your and your company’s files useless. The only recourse is to restore from backup or pay criminals a sort of ransom in hopes that they will help you recover the data.
Recently, many attacks have become more targeted and involve no malware or real technical expertise at all. I have encountered more than a few cases where criminals research a company or individual to determine who is likely to authorize a large financial transaction and who is likely to perform it. They then create an email account that looks very much like the authorized person’s and send an email requesting a wire transfer. Occasionally, the request seems legitimate enough that many thousands of dollars per instance end up in criminal hands.
By all accounts, these criminal exploitations are very lucrative. While no one seems able to determine the precise amount that these cyber criminals are raking in, there is no question that it is a multimillion-dollar enterprise. This problem is here to stay.
How do you fight back?
So, if we can’t rely on technical measures to address these attacks, and if they’re not going anywhere, what’s the answer? It’s all about raising awareness. At the very least, every company and organization should educate employees about the need to be extremely careful when opening email attachments and clicking links in an email and to confirm authorization before sending money or sensitive information based on an email.
Even better is to use one of a number of inexpensive, commercial security-awareness solutions such as KnowBe4 and PhishMe. They typically start with internal testing consisting of fake emails that mimic the same ones that criminals use and identify which employees click on them. They also have a short series of effective and concise computer-based training videos, which tell you specifically what to look for in email attacks. The training can be required company-wide, or just for those employees identified in the course of testing.
This type of testing and training may seem unnecessary, and the majority of attacks may seem easy to detect and avoid, but given the frequency, probable persistence and growing sophistication of email attacks and the inability of technical tools to prevent them, formal security awareness is one more layer of defense that belongs on the list of countermeasures that everyone should employ.
Steven Ellis has spent the last 16 years working at the intersection of business and technology for Bellwether Technology in New Orleans, where he serves as the company’s vice president.