Today, attackers often carefully profile the employees of the company they are targeting. This is done for example through social media and by researching publicly available information. Once a target has been selected, one of the most common ways to execute a cyber-attack, is to send phishing e-mails directly to employees in a targeted company. These emails usually contain either a link or a Microsoft Office document embedded with malicious code. Thus, employees can unintentionally help cyber-attackers break into an organisation.
Phishing emails are tailored to the recipient as meaningful and interesting. The emails can appear to be genuine, triggering victims to click on a link or open a document on their work computer. This action could lead to a web site designed to lure the UserID and password from the victim or release a computer virus or program and allow attackers to control their computers remotely. Usernames and passwords can then be easily hijacked by installing malicious programs that log all keyboard events.
What are the warning signs?
When it comes to phishing emails, it is important for your employees to be wary of emails or phone calls from unknown persons requesting them to act. These can be requests to provide information or open attachments in an email. Be vigilante and consider the following factors if you are unsure how to act in these situations:
- Does the sender’s e-mail address look legitimate and is the content of the message well-written (e.g. using proper grammar) and logical (e.g. featuring a reasonable objective or statements)?
- Does the message contain an attachment or link?
- Does the sender ask you to take immediate action or take action in one way or another?
Be careful not to use the same passwords across multiple platforms. This is common practice among people however is a serious risk, making things much easier for hackers.
How your IT-security team can help
Keeping up-to-date on the most recent threats is vital to enforcing a secure environment. Security awareness actions and training of employees are just as important. Raising awareness among employees for example through webinars, on-site events, as well as proper onboarding of security policies, training manuals and pamphlets, refresher trainings for existing employees, as well as regularly producing intranet articles on IT security topics and practices.
IT security teams are also responsible for ensuring the robustness of the corporate network. This includes implementing of new technologies such as Multifactor authentication (MFA). This requires at least two separate verification methods to authenticate the user's identity in order to login to their account.
Know your vulnerabilities
Invite your different business area, project and product line management teams to consider their vulnerabilities. What is the confidentiality level of the material they are using and how is this information used by employees? For example, it may be common practice in your company to use online services to share material, send large files, translate information into local languages, or host meetings. It is important to remember, that these services can pose a serious security risk.