Cyber attacks have quickly become the number one security threat for businesses, yet some people still don't take their cyber security defences seriously. If you're one of these people who still thinks scam emails are only for fake Nigerian Princes and viruses just give you annoying pop-ups, then this should put things in perspective for you; in May last year a ransomware attack named WannaCry began with a single email, and within a day emergency services were being pulled, hospital facilities were being shut down, and the attack was quickly spreading across the globe.
The threat of cyber attacks is very real, whether your organisation is small or not, and more times than not they rely on user errors to gain access to your network. To help you know what not to do, here are the most common mistakes companies and their employees make when it comes to cyber security:
- Clicking links or attachments in emails
Emails are the most common delivery method for cyber attacks - whether that be social engineering attacks like Phishing scams, or even malicious software like Ransomware - and they typically rely on the user being tricked into clicking a link or downloading an attachment. Even if an email looks legitimate, remember they are quite simple to falsify, so always read carefully and avoid clicking these whenever possible.
- Browsing to unsafe websites
Although email is the most used method for delivering cyber attacks, they can also be brought on through unsafe websites, specifically pop-up adverts from these sites. This mistake is now one of the easiest to avoid as Google Chrome has started marking all HTTP websites as 'not secure' - this is because, unlike with HTTPS, these websites aren't encrypted, meaning anybody in the network can access any information entered into the site. This doesn't mean that websites marked 'not secure' are full of viruses and dangerous to browse - but maybe avoid entering personal details into them.
- Posting personal information online
Most scam emails rely on manipulating their targets into trusting them, and for this to work the attackers will gather as much public information on the person as possible. An example of this is CEO Fraud, which is a type of phishing email in which the attacker impersonates a CEO, emailing other employees and asking for a large wire transfer. The less information you post about yourself online - the less chance of a cyber attacker using it to trick you or your co-workers.
- Not taking action
Even if employees aren't falling for malicious emails themselves, if they stay quiet about it then they are leaving other employees vulnerable to the same attack. Organisations need to ensure that staff members are proactively reporting any suspicious emails so that they can be analysed for patterns that could indicate future attacks early on.
- Lack of training
Even though cyber attacks pose such a big threat to businesses, many still don't take the issue seriously - According to Infosec, 42% of companies worldwide didn't have a security strategy in 2016, and only 49% conducted security threat assessments.
Regular training and assessing is important to ensure all employees understand the severity of cyber attacks and, more importantly, know how to identify them. A study in a Fortune 50 organisation subjected the employees to a simulated phishing attack with 35% of participants falling for it - however, after being given feedback and additional training, this number fell to 6%, meaning an 84% decrease in susceptibility.