The first week of October marks the start of European Cybersecurity Month Campaign, the EU’s annual campaign dedicated to promoting cybersecurity among EU citizens and organisations. Over the next 4 weeks , we are publishing a series of posts on your cybersecurity and why it matters.
Unfortunately in the majority of cases of a cybersecurity or data breach people are the weakest link. Verizon’s 2023 Data Breach Investigations Report found that 74% of Cyber security breaches involved the human element, which includes social engineering attacks, errors or misuse.(source) A vast majority of cyber attacks using password cracking or phishing emails are specifically targeting your staff.
A common myth exists that if you’re not actively engaged on social media, or if you don’t have accounts on such platforms, your online profile is non-existent or negligible. This perception, however, is deeply flawed. In reality, information about each one of us is inevitably housed in some database, somewhere, regardless of our online activity levels. The responsibility for safeguarding this data lies not only with the companies and organisations that store it but with us as well.
For instance, a cybercriminal, if they are specifically looking to target your business, may track some of your senior staff’s social media to see if they can spot a genuine opportunity to send an advanced and targeted phishing email to a specific person within the organisation.
In a personal context, people are advised not to post holiday snaps or updates on social media, because it shows potential criminals that they are away from their property and increases the possibility that their property will be targeted for burglary while they are away.
In the same way, if a cybercriminal sees that the CEO or CFO of an organisation is on annual leave they may target a junior or mid-level employee in the organisation that they have identified, with an email that appears to be from the CEO. This is not unusual in generic phishing campaigns. Still, in this case, the criminal is adding specifics about the holiday location, family names, and a lot of detail that would make it seem that the email is more genuine. In this email, they can ask for a multitude of things to be done, e.g. money transfer, providing bank details, access to an online system (username and password), and using the premise that the CEO has not brought computer equipment but needs access via their mobile phone or an alternative device.
Given the escalating sophistication of cyber-attacks, providing absolute protection is challenging. However, a crucial defensive measure within our grasp is the conscientious education and training of our staff regarding potential risks, effective processes, and best practices to pre-emptively counter these threats. Through regular, insightful awareness training, we can significantly diminish the likelihood of these malicious schemes succeeding, at least from the perspective of the attacker
Enhancing staff awareness training can be approached in various ways, ranging from conducting regular in-house training sessions and offering online courses to executing simulated phishing attacks (essentially benign exercises designed to educate rather than exploit), and enlisting the expertise of external cybersecurity training firms. These initiatives collectively work to fortify your organisation’s defences against the ever-present, ever-evolving menace of cyber threats.
By Brian Power
By Aoife O'Driscoll