Introduction
Organisations are facing a growing number of cyber attacks, and the attacks are becoming more sophisticated. Around one quarter of charities and a third of businesses overall reported breaches or attacks in 2022. Most medium-sized businesses (59%) experienced a breach or attack (Cyber Security Breaches Survey 2023).
Phishing attacks represent the overwhelming majority, with Deloitte reporting that 91% of attacks begin with a phishing email.
Where phishing is concerned, “Humans remain the primary risk vector” (Microsoft Digital Defence Report 2023). User awareness training can educate your staff and help them become an effective part of your cyber defence strategy, but it needs to be the right kind of training delivered in the right way.
Cyber attacks are on the rise
“the number of human-operated ransomware attacks is up more than 200 percent since September 2022.”
The rise in cyber attacks, coupled with their growing sophistication, creates an increasingly challenging environment for businesses. As well as the time and money lost as a result of a breach, there is the potential damage to reputation (which is often a greater concern).
Scammers take advantage of human nature
“74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.” Verizon’s 2023 Data Breach Investigations Report
Scammers typically look for a way to trick an employee into doing something that will give them access. These social engineering attacks can take many forms, including:
Phishing – e.g. the attacker sends an email that contains a malicious link;
Scam phone calls – e.g. an employee receives a call purporting to be from a trusted source such as Microsoft, BT or Tech Support. The scammer then convinces the employee to give them remote access to their computer;
Fake wireless networks – e.g. in a café or public place. The fake network could have an innocent sounding name to build trust, such as “Starbucks Wi-Fi”, “Costa Guest” or “BT Hotspot”;
Malicious websites – e.g. a seemingly legitimate website offering downloads that tempt a user to click;
USB devices – e.g. a USB device (containing malware) left in a public place. When someone inserts it into a computer, their device is infected with malware which can then be spread across the work network.
Employees may be tricked into doing something that exposes the organisation’s IT system to malware, or even into sending money or data to a scammer (e.g. if they believe they are paying a legitimate invoice or sending a document to a trusted contact). Sometimes mistakes are made due to stress or in the rush to get things done, especially if staff are not fully aware of the risks involved or the possible repercussions of their actions.
It is important that staff learn how to spot these scams and that they report them so that the organisation can act to limit any damage.
Train your employees to be alert to cyber scams – and check what they have learned
Every member of staff with access to IT needs to understand the risks and how their actions affect the organisation’s IT security. But it’s not enough just to point them in the direction of your cybersecurity policy or staff handbook. These documents may be read once (if at all), and then forgotten. With no way to test whether rules have been remembered or if they would be properly applied in a real-life scenario, many organisations leave themselves open to attack.
We use a specialised platform to deliver relevant training that teaches staff about the range of tactics used by scammers to extort information and money. Simulated phishing attacks provide insight into how threat-aware employees are as well as highlighting any extra user training required. We can assess how click-prone your personnel are and arrange for appropriate education. Using simulated phishing tests, we typically see click through rates of around 20% before training drop to under 5% after training, with staff more vigilant to cyber attacks and better able to identify scams and take the right action.
Cybersecurity training is also a compliance issue
Speaking about the £4.4m fine levied in 2022 on Interserve Group Ltd (who fell prey to a phishing email that facilitated a ransomware attack), the UK Information Commissioner, John Edwards, said:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.” Biggest cyber risk is complacency
Get the right training for your people
Staff are an integral part of your cybersecurity and training them should be part of your cybersecurity plan.
The majority of breaches include a human element. With effective training, your staff can become valuable assets in your cyber defence strategy and help you avoid the costly consequences of cyber attacks and data breaches.
To discuss the ways in which user training would benefit your organisation, or how simulated phishing tests could help you assess your risks, contact us.
