What is the biggest threat to your businesses cybersecurity? Many people view security as a series of switches or technologies they need to "turn on" in order to be protected. As long as you have a firewall up and running or are using an anti-virus software you're safe right? While these are important and crucial parts of a cybersecurity plan, they shouldn't be viewed as your first line of defense against bad actors. What many businesses fail to realize is that your humans are often the weakest link in your organization.
Cyber criminals know that humans aren't perfect, and at some point in their career they'll slip up and make a mistake. Through the use of "social engineering", bad actors attempt to expedite this slip up by psychologically manipulating employees into giving up sensitive information. The most common form of social engineering is "phishing". Phishing comes in various different forms but it is primarily implemented via email. Cyber criminals will send an email pretending to be a fellow employee or maybe even a manger and ask the victim to either click on a malicious link, or send over sensitive information that can be used in a breach. The impersonator will often use urgent language to pressure the employee into responding without fully thinking it through. Usually, a phishing email can be spotted if the user is looking carefully, which is why hackers try to scare victims into a reaction.
Using urgent language isn't the only tactic bad actors use. Standford also found that 45% of their survey respondents cited distraction as the reason for falling for a phishing scam. At first glance these phishing emails look like the real deal. Cyber criminals will often impersonate popular brands or companies like Amazon or Microsoft to look official. These types of emails are usually accompanied by graphics or images with company branding to add credibility. If someone isn't fully focused on looking for a phishing email they might accidentally click on a link they aren't supposed to.
An acronym that you can use to help your employees spot phishing emails when they hit their inbox is to simply remember P.H.I.S.H.
Pause - You should always think before you click. Take a second and pause before responding to an unusual request or email.
Hover - Hover your cursor over any links to make sure that it is sending you where it claims it will.
Inspect - Look for any grammatical errors, spelling mistakes, or punctuation that doesn't look right. This can be a dead giveaway that it isn't legitimate.
Source - Who is the email coming from? Don't respond to suspicious emails originating from outside the organization.
Help - If you aren't 100% sure of an email's validity, don't be afraid to ask for help. Flag it our go the person who claims to have sent the email.
The most effective way to curb social engineering is through security awareness training. Teach your employees what a phishing email looks like and how to respond correctly. This will be the best way to ensure that your humans are secured and protected from outside attackers. CorpInfoTech can help your organization prepare for the eventually of a social engineering attack. Through security awareness training we can educate your users on how "fight the phish" and protect your organizations private data!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.