Targeted and tailored
Today, attackers often carefully profile the employees of the company they are targeting. This is done for example through social media and by researching publicly available information.
Once a target has been selected, one of the most common ways to execute a cyber-attack, is to send phishing e-mails directly to employees in a targeted company. These emails usually contain either a link or a Microsoft Office document embedded with malicious code. Thus, employees can unintentionally help cyber-attackers break into an organisation.
Phishing emails are tailored to the recipient as meaningful and interesting. The emails can appear to be genuine, triggering victims to click on a link or open a document on their work computer.
This action could lead to a web site designed to lure the UserID and password from the victim or release a computer virus or program and allow attackers to control their computers remotely. Usernames and passwords can then be easily hijacked by installing malicious programs that log all keyboard events.
What are the warning signs?
When it comes to phishing emails, it is important for your employees to be wary of emails or phone calls from unknown persons requesting them to act. These can be requests to provide information or open attachments in an email. Be vigilant and consider the following factors if you are unsure how to act in these situations:
- Does the sender’s e-mail address look legitimate and is the content of the message well-written (e.g. using proper grammar) and logical (e.g. featuring a reasonable objective or statements)?
- Does the message contain an attachment or link?
- Does the sender ask you to take immediate action or take action in one way or another?
Be careful not to use the same passwords across multiple platforms. This is common practice among people however it is also a serious risk, making things much easier for hackers.
How your IT-security team can help
Keeping up-to-date on the most recent threats is vital to enforcing a secure environment. Security awareness actions and training of employees are just as important. Raising awareness among employees for example through webinars, on-site events, as well as proper onboarding of security policies, training manuals and pamphlets, refresher trainings for existing employees, as well as regularly producing intranet articles on IT security topics and practices.
IT security teams are also responsible for ensuring the robustness of the corporate network. This includes implementing of new technologies such as Multifactor authentication (MFA). This requires at least two separate verification methods to authenticate the user’s identity in order to login to their account.
Know your vulnerabilities
Invite your different business area, project and product line management teams to consider their vulnerabilities. What is the confidentiality level of the material they are using and how is this information used by employees? For example, it may be common practice in your company to use online services to share material, send large files, translate information into local languages, or host meetings. It is important to remember, that these services can pose a serious security risk.
It is important to understand the terms and conditions of any online service that is being used by your employees.
As an example, translating sensitive information using a free online translation service may risk the release of critical details to hackers. This can include information that may impact stock price, jeopardize joint venture agreements, or otherwise compromise confidential information.
Consider the following:
- How is the online service provider managing the information your employees send and receive on their platform?
- What rights does the online service provider have to this information?
- What are they doing to protect your information from cyber threats?
- What happens if the service providers data is compromised, who is liable for possible damages?
- How robust are the security measures the online service provider has in place?
Every day, your employees can provide an important line of defence against potential attacks or be your weakest link in the fight against online threats.
To successfully fight cyber-crime, your employees need to know what they are looking for - as only recognised risks can be managed.
“Patching human vulnerabilities through security awareness training is just as important as patching technical vulnerabilities,” says Peter Granlund Chief Information Security Officer at If P&C Insurance.