Our latest blog on How to Survive a Disaster focuses on the less obvious factor – user error and vulnerability.
Cyber crime is on the rise, especially as people and businesses do more online, and the biggest risk associated with cyber crime is user error.
This makes sense when one considers that IT awareness amongst staff has failed to keep up with the high quality cyber security solutions now available.
For example, a good network security solution, used in conjunction with endpoint and email security, covers key areas of online vulnerability. But whilst this is a means of preventing exposure to malicious content, they cannot protect businesses from user error or lack of awareness.
The Dangers of Social Engineering
No matter how sophisticated cyber security becomes, user behavior is unpredictable and remains a key risk factor.
Ultimately, cyber criminals are opportunistic. They know that it’s far more straightforward to trick a user into clicking a link than bypass a system designed to detect anomalies. Well-designed phishing emails can prey on the curious, desperate, or even oblivious. And it only takes one careless click for a disaster to occur.
Perhaps an employee receives an email that appears to be from ‘Dropbox’ or ‘Office 365’ – an email that they’re expecting or trust – but is actually a vehicle to harvest credentials. By clicking the link, the user is directed to a convincing spoof login page. Any credentials entered are then transmitted directly to the cyber criminal.
A high-profile court case concluded only recently, in which a business brought legal action against an employee for unwittingly transferring over £200,000 to a cyber criminal.
An example of ‘whaling’ (the targeted impersonation of a senior executive), the victim was sent a ‘spoof’ email impersonating the Managing Director, requesting that urgent invoices be settled when possible.
The Managing Director was on holiday at the time. This meant that the criminal had prior knowledge of their absence and was able to manipulate the situation to make significant financial gain.
Poorly Configured Firewalls
Improperly configured network security is almost equivalent to not having any at all.
Its role is to protect your business’s network from malicious traffic, but if it isn’t set up properly, you could end up blocking genuine user requests to your network – or worse, allowing ransomware packages and data miners to infiltrate your corporate network!
Network security can be configured and maintained as part of Neuways managed IT service, eliminating the risk of a poorly configured firewall.
Whilst network security is one of your greatest assets in the battle against cyber crime, user error can lead to unexpected backdoor exploits, putting both yours and your customers’ data at risk.
If these exploits are taken advantage of by the wrong person, you’re looking at a data breach or costly downtime.
Lack of a BYOD Policy
Lack of a comprehensive BYOD (Bring Your Own Device) policy enables the exploitation of users, and by extension – your business.
Whilst your workplace devices have the latest enterprise-grade cyber security solutions in place, non-corporate devices often lack the equivalent security methods. Giving staff unrestricted access to your network with their own devices risks the circumventing of your business’s cyber security measures. For example, if a personal device infected with malware connects to your WiFi, you’re potentially creating a backdoor into your business.
A properly implemented BYOD policy might, for example, restrict access to the corporate network unless the device has fully up-to-date endpoint security. This means that you’re able to block access to mobiles, laptops, and other devices that fail to meet basic cyber security standards. Another criteria might be that staff must install multi-factor authentication in order to be granted access to the business network.
Remote working is proven to increase productivity and enable a far better customer experience. The perks far outweigh the drawbacks. However, it is only a secure method of working if a BYOD policy is in place. Failing to do this puts your business at increased risk of a cyber attack or data breach, and the downtime that often follows these disasters.
IT Awareness Training: Knowledge is Power
If you and your team are unaware of what to look for in a phishing email, you’re not going to be able to recognise it for what it is.
Cyber crime is evolving daily, as are the associated cyber security solutions, so it stands to reason that people too must keep up with these developments.
This is why IT awareness training is so important. It empowers your staff by giving them new skills, enabling them to play an active role in keeping your business secure and diminishing user error.
So, what do you need to look out for in a phishing email? We sampled a spoof Office 365 email to demonstrate these points. After all, Microsoft Office 365 phishing was the most popular type of phishing of 2019.
Check the email address
Spoofing emails often contain anomalies in their addresses, like the O365 example we have included here. It is clearly not from a Microsoft domain.
In the example provided, the subject contains a threat to shut down your O365 account. This is to prompt an urgent response from the victim, encouraging them to click the link.
Inconsistent spelling and layout
Lack of capitalisation in ‘office 365’, a space between ‘verify’ and the full stop, and completely different fonts – phishing emails are hastily assembled and often contain errors like these.
In short, user error can cause havoc and open up a range of threats to your business.
Whether it’s falling for a phishing attempt, failing to setup your IT functions properly, or accidentally unleashing malware into your network through an unsecured device, the end result is the same:
Costly downtime for your business!
Ideally, you’ll be able to avoid a disaster with the relevant IT awareness training. But accidents happen, and it’s your ability to recover from a disaster that determines the cost of the incident.
This is why we always recommend having a comprehensive, flexible business continuity and disaster recovery plan in place.