By Andy Syrewicze, Microsoft MVP and Technical Evangelist, Hornetsecurity
2023 has seen a host of malicious cyber-attacks targeting a range of organisations from police forces to healthcare providers. The threat landscape has transformed drastically across the course of my career, with as many as 500 potential cyber attacks now being logged every second.
Because of this, it can be more confusing than ever for organisations to understand how to best protect themselves from threat actors. Recent research from Hornetsecurity revealed that almost 60% of businesses are ‘very’ to ‘extremely’ concerned about ransomware attacks, however, one in eight organisations (12.2%) are without a disaster recovery plan. Of those companies, more than half cited a ‘lack of resources or time’ as the primary reason, showing the importance of educating business leaders about how they can avoid cybersecurity horror stories.
The dangers of unmanaged IoT devices
With the rise of smart technology, Internet of Things (IoT) devices have become commonplace in offices and workplaces worldwide. IoT devices can cover anything from smart door locks, fitness trackers, medical sensors or even a refrigerator. At a glance, these devices can appear harmless, however, due to their internet connectivity capabilities they can be manipulated by threat actors to execute cyber-attacks.
The most striking hack I have observed in my career concerned a smart lighting system in a fish tank which had been manipulated to launch targeted ransomware in an office building. The problem with IoT devices lies in the difficulty of identifying these devices due to their seemingly harmless appearance. I later discovered that this was not as unique as I had first thought – a similar attack occurred at a casino. Thankfully in the case of the fish tank lighting, the attack had a smaller scope and only targeted a handful of computers, meaning that the collateral was minor and easily recovered once the device was identified.
The fact that these attacks stemmed from seemingly harmless IoT devices shows the importance of keeping track of all devices in an office space. By ensuring regular firmware updates are carried out, multi-factor authentication is used for said devices, and/or ensuring that IoT devices are put on a dedicated network, organisations can prevent outside access to administrative elements of IOT devices which will in turn prevent cyber-attacks.
How Security Awareness Training can prevent phishing horror stories
It’s no secret that phishing is one of the most popular cyber-attack methods, accounting for around 40% of all cyberattacks. Recent Hornetsecurity research revealed that 40% of all email traffic poses a threat, with 5% of daily global email traffic (approximately 19 billion emails) being classed as malicious.
The clear threat to businesses from cyber-attacks has been bolstered thanks to the development of generative AI models which can be manipulated to quickly generate realistic and successful phishing attacks. Phishing attempts pry on human vulnerabilities to embezzle funds out of organisations, and some of the most devastating phishing schemes I’ve seen in my career showcase the importance of educating employees as a preventative method to these attacks.
Another example involves targeted spear phishing against a managed services provider. The CFO received an email that was seemingly from the owner of the company. This email was very cleverly crafted with all correct identifiers, contact details and titles, but the message was somewhat off, in that it was asking the CFO to remit payment for a 72k invoice via direct wire transfer, which was out of the norm. Thankfully the CFO had undergone some security awareness training and was able to identify that this was a spear-phishing attempt. Strangely enough, the MSP had an ongoing project with local law enforcement at the time and ultimately caught the perpetrator, giving this horror story a somewhat happy ending.
In a survey of over 2,000 IT professionals, a quarter (25%) said they were unsure, or incorrectly believed, that Microsoft 365 was immune to ransomware attacks. This false sense of security means that are unlikely to have bolstered their defences with third-party tools. By offering effective security awareness training, organisations can empower employees with the ability to recognise new cyberattack methods and help foster a sustainable and well-rounded cybersecurity culture equipped to deal with current and future cyber threats.
From witnessing horror stories like these, it’s clear that keeping track of the devices in use within an organisation and staying educated against the current threat landscape is of paramount importance. Organisations must also invest in appropriate, sustainable and robust defence methods to ensure that data remains safe. This could be technical defences including filters and firewalls, monitoring tools and other innovative solutions such as those driven by machine learning as well as deploying a security awareness training programme to foster a sustainable security culture amongst employees.