- Employee awareness
- 8 min read
Since the beginning of the pandemic in 2020, the FBI has noted a fourfold increase in cybersecurity complaints.
It’s no surprise. COVID-19 and the resulting shift to remote work have had enormous implications for the world of cybersecurity. For most, it has meant super-accelerated or unplanned cloud migrations and the very swift procurement of IT products and services. Many companies were forced to rush through security measures to keep vital business operations running. There’s no doubt, working from home has created new levels of vulnerability and risk.
Now, those responsible for managing cybersecurity are assessing how their people respond to the security infrastructures adopted during the sudden shift to remote working. For example, many home workers use personal devices to do their jobs (even though they may well have been asked not to). Are these devices secure? Is business data vulnerable when the fail-safes on an office device are not there?
Cyber threats have become more sophisticated and intense amid the increasing levels of remote work and dependence on digital devices.
These are the three main cybersecurity threats that businesses face in 2021.
Business email compromise (BEC) attacks use real or impersonated business email accounts to mislead employees and defraud businesses. These attacks have risen since last year and are set to grow more.
In December 2020, Keeper reported that uncertainty caused by COVID-19, Brexit, and the move to remote working had led to 70% of UK finance companies experiencing BEC attacks in the preceding year. In May 2021 GreatHorn compiled The 2021 Business Email Compromise Report with data based on an online survey of 270 IT and Cybersecurity professionals in the US.
The report highlights trends, issues, and gaps in fighting BEC attacks and related email threats:
The only way to navigate these security challenges is by training staff. It’s vital to create a programme that informs and educates on all of your company’s security needs while of course, reinforcing the positive behaviours that your people are currently demonstrating.
It is important to discuss the language typically used in spoof emails so people can more easily spot potential scammers. You can stage cyber drills to show how sophisticated these scams can be.
Cybersecurity can be complex, but our experience shows that issues can often be as simple as a staff member struggling with installing antivirus software on their personal device. With straightforward steps, security can be enhanced.
Many ransomware gangs have shifted their focus to Managed Service Providers (MSPs), - platforms serving multiple clients at once. If a hacker gains access to an MSP, it has the possibility of reaching multiple end-user clients. Typically, MSPs are hacked via poorly secured remote access tools. This can be due to faulty infrastructure as well as lack of user understanding.
Market intelligence identifies ransomware as an increasing threat to businesses worldwide:
New remote, or partially remote setups have created new challenges that demand a holistic approach from organisations to truly secure growing cloud networks and to implement and maintain robust remote working best practices in security.
Fundamentally, the principle of least privilege must be enforced both between peers and companywide. It’s essential to educate staff to only share documents and information with verified parties.
Further skills training for staff is necessary, encouraging them to:
Phishing and social engineering attacks are arguably the most prevalent and dangerous types of cybercrime that organisations worldwide are currently facing. Google Safe Browsing recent data shows that there are now nearly 75 times as many phishing sites as malware sites on the internet. This number is on the rise daily as more and more attackers exploit vulnerabilities.
Recent research from Verizon has shown how these attacks can infiltrate a company:
According to a study by APWG, the biggest category of phishing is targeted towards webmail and Software-as-a-Service users. These types of attacks make up 34.7% of phishing attempts.
And according to the results of Terranova Security's 2020 Gone Phishing Tournament, almost 20% of all employees are likely to click on phishing email links. Of those, a worryingly high 67.5% then enter their credentials on a phishing website. This means 13.5% of employees are likely to submit their passwords on a fraudulent phishing page.
In 2020, the most common subject lines of phishing emails were as follows:
These subject lines show that criminals attempt to capitalise on three areas of perceived ‘weakness’:
Education on this is vital, and for CISOs it can seem overwhelming. But often there are people within your organisation you can lean on to assist with this process.
For example, internal comms teams can help you in talking to the staff body as a whole. Marketing teams may be able to assist in the best way to reach your audience often across multiple channels, geographies, languages and knowledge levels.
Cybersecurity is a persistent and growing threat, and for CISOs it can sometimes seem like a losing battle to stay ahead. However, with smart staff training, tactical decision-making and the ability to constantly adapt, security risks can be significantly reduced so that your business continues to function successfully.
Please feel free to contact us for more information on integrated, practical staff awareness and training programmes to combat these main cybersecurity threats, and many others.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51