Cyber-attacks can cause serious business disruptions. Your own employees play an important role in fighting cyber threats every day. Unfortunately, employees often fail to consider why hackers might want to target them.
Today, attackers often carefully profile the employees of the company they are targeting. This is done for example through social media and by researching publicly available information. Once a target has been selected, one of the most common ways to execute a cyber-attack, is to send phishing e-mails directly to employees in a targeted company. These emails usually contain either a link or a Microsoft Office document embedded with malicious code. Thus, employees can unintentionally help cyber-attackers break into an organisation.
Phishing emails are tailored to the recipient as meaningful and interesting. The emails can appear to be genuine, triggering victims to click on a link or open a document on their work computer. This action could lead to a web site designed to lure the UserID and password from the victim or release a computer virus or program and allow attackers to control their computers remotely. Usernames and passwords can then be easily hijacked by installing malicious programs that log all keyboard events.
When it comes to phishing emails, it is important for your employees to be wary of emails or phone calls from unknown persons requesting them to act. These can be requests to provide information or open attachments in an email. Be vigilante and consider the following factors if you are unsure how to act in these situations:
Be careful not to use the same passwords across multiple platforms. This is common practice among people however is a serious risk, making things much easier for hackers.
Keeping up-to-date on the most recent threats is vital to enforcing a secure environment. Security awareness actions and training of employees are just as important. Raising awareness among employees for example through webinars, on-site events, as well as proper onboarding of security policies, training manuals and pamphlets, refresher trainings for existing employees, as well as regularly producing intranet articles on IT security topics and practices.
IT security teams are also responsible for ensuring the robustness of the corporate network. This includes implementing of new technologies such as Multifactor authentication (MFA). This requires at least two separate verification methods to authenticate the user's identity in order to login to their account.
Invite your different business area, project and product line management teams to consider their vulnerabilities. What is the confidentiality level of the material they are using and how is this information used by employees? For example, it may be common practice in your company to use online services to share material, send large files, translate information into local languages, or host meetings. It is important to remember, that these services can pose a serious security risk.
It is important to understand the terms and conditions of any online service that is being used by your employees.
As an example, translating sensitive information using a free online translation service may risk the release of critical details to hackers. This can include information that may impact stock price, jeopardize joint venture agreements, or otherwise compromise confidential information.
Consider the following:
Every day, your employees can provide an important line of defence against potential attacks or be your weakest link in the fight against online threats.
To successfully fight cyber-crime, your employees need to know what they are looking for - as only recognised risks can be managed.
Patching human vulnerabilities through security awareness training is just as important as patching technical vulnerabilities
Communication Officer
kristian.orispaa@if.fi