Survey results published in June 2021 indicate a significant percentage of remote workers are taking shortcuts around their organizations’ security policies. Additionally, many respondents admitted they failed to report security-related incidents that occurred while working from home. IT managers polled predict a rise in social engineering attacks as employees return to the workplace or companies transition to a hybrid work model.
The number of ransomware attacks has increased four-fold during 2020 and 2021. The average amount of ransom paid has more than doubled since 2019. Two of the three top ransomware attack vectors targeted users who apparently lacked the training necessary to recognize the threat. These are but a few of the justifications for making cybersecurity training a priority.
Some Alarming Stats
In May of 2021, training provider KnowBe4 published results of their review of 100 cybersecurity research studies conducted by various organizations. These studies revealed that, without exception, social engineering ranked number one among all security threats. KnowBe4 also cited a recent survey conducted in the United Kingdom wherein phishing was identified as the vector used in 79% of successful cyber attacks.
Ransomware attacks can be devastating to an organization. Some are unable to survive due to monetary damages and loss of customer trust and confidence. According to information posted by PaloAltoNetworks.com, two of the top three attack vectors used in ransomware attacks involve the delivery, via email, of malware payloads and malicious links. In June 2021, KnowBe4 reported that the average amount of the ransoms collected by criminals has risen from $80,000 in 2019 to $170,000 in 2021. Between the beginning of 2020 and the end of the first quarter of 2021, the number of ransomware attacks increased by 422%.
Results of polling commissioned by cybersecurity provider Tessian published in June 2021 revealed that a fourth of remote workers surveyed admitted to making mistakes that could have compromised their employers’ networks, data, or systems. These same employees said they did not intend to report their errors.
Of the respondents 24 and younger, 51% said they used workarounds to avoid company-mandated security directives. Of the 4,000 technology users in all age groups who responded to the survey, nearly 40% admitted that they hadn’t adhered to all company security policies while working remotely. Among the 200 IT managers polled, 56% believed employees developed bad security practices while working remotely. Nearly 70% of those managers expressed concerns that, as employees return to the office or their organization’s transition to hybrid work environments, the number of social engineering and ransomware attacks will increase.
Top Social Engineering Attack Variants
According to Social-Engineer.org, all of the top four attack vectors currently being used to compromise organizational and individual security are forms of social engineering. They are phishing, vishing, impersonation, and SMiShing.
To defend against phishing, employees should be trained to recognize suspicious emails and refrain from downloading attachments or clicking on potentially malicious links. Vishing is essentially phishing via phone calls. Attackers often spoof their numbers so that calls appear to be coming from within the organizations targeted. Impersonation tactics can be used in combination with various other attack vectors.
Criminals may claim to be important customers, fellow employees, or members of management and pressure targets into taking some action that compromises company resources. In SMiShing attacks, actors utilize text (SMS) messages to contact their potential victims.
Policies and procedures need to be created and effectively communicated through training of employees to ensure that they recognize and report potential attacks and that they do not provide sensitive data to a cybercriminal.
Technical Controls Aren’t 100% Effective
There are some very effective tools available that can filter out the vast majority of malicious emails, but some will inevitably reach their intended recipients. Many email filters use AI to identify domains from which malicious messages originate, then begin blocking subsequent messages originating from those domains. But domains are cheap and easy to get. Once attackers learn that their messages are being filtered, they simply acquire new domains from which to send their emails.
Organizations should certainly implement the most effective technical controls available to protect their resources from hackers and scammers, but without effective training programs, no cybersecurity plan is complete. Devastating ransomware attacks often begin with a single email making it through a filter and being delivered to an employee who lacks the knowledge to recognize it as a potential attack and report it.
Prioritizing Training and Creating an Effective Program
Given that it is a human vulnerability that allows social engineering attacks to succeed and remain the top threat to most organizations, your company’s last and best defence is a solid training program. Even if the budget doesn’t allow for full-time employees to devote providing security training, there are alternatives available. These include learning management systems (LMS) that allow you to automate training and deliver it to your employees whether they are in the office or working remotely. There are also cybersecurity training providers if you prefer the “as a service” model.
New threats are constantly emerging while old ones are evolving into new variants. This means your training program can’t be limited to one class per year or quarterly training sessions. Training should be continuous. Since phishing is the top threat, you may want to take advantage of new features being offered in some Microsoft 365 environments that allow for the creation of automated phishing simulation campaigns. Some third-party training providers offer these simulations as well.
Establish a baseline and evaluate the effectiveness of your program over time. LMS and third-party providers can generate metrics that will allow you to determine what works and what doesn’t. Modify your program accordingly.
Implement a reporting procedure whereby employees can report suspicious incidents, emails, phone calls, etc. Then teach them how to use it.
Conclusion
Security training is risk management. Consider what other risks apply to your organization and whether any have the potential to impact operations as severely as a $170,000 loss due to a ransomware attack resulting from a lack of user training. Keep in mind that many organizations successfully attacked are targeted again within a few weeks or months because they’ve been identified as a vulnerable entity that is willing to pay.
If even a single malicious message makes it through your technical controls and is delivered to someone who unwittingly clicks a link, you could lose access to all of your critical data and potentially facilitate the exposure of sensitive records online even if you do pay a ransom. You are, after all, dealing with criminals who can’t be trusted.
Perhaps evaluating the level of risk as it compares to the cost of an effective training program will convince the powers that be to find and implement an effective cybersecurity training solution for your organization.
Security Training From a Local IT Company
We’re based in Edmonton with support partners in all major Canadian cities. We offer remote IT support anywhere in the world you happen to be. Foresight for IT’s full-circle approach to IT from setup, support, security and scalability means that we handle everything and your vital services are consistently up and running. Our always-on technicians and business IT support plans take the hassle of technology management off your desk and puts it into the hands of our experts.
Other Proactive Measures to Protect Your Business
Businesses of all sizes are the target of countless cybersecurity attacks every year. Foresight for IT offers proactive cybersecurity strategies that protect your business data from falling into the wrong hands, saving you from costly downtime and public humiliation.
These strategies include:
- Disaster Recovery
- Antivirus/Malware/Ransomware
- Email Security & Archives
- Internet Monitoring