By: Matt Lindley, COO and CISO at NINJIO
The ultimate goal of any effective cybersecurity platform is to make digital safety and awareness second nature to employees. This means companies have to be proactive and instill the right habits, which often means resisting the bad habits that lead to millions of successful cyberattacks every year – from the use of generic and easy-to-crack account credentials to the willingness to click on suspicious links and attachments in emails from untrusted sources.
The vast majority of cyberattacks rely on social engineering – the deception and manipulation of victims to coerce them into either opening malware or voluntarily providing sensitive information. Cybercriminals know their victims reliably fall for certain scams and fail to take even rudimentary precautions against cyberattacks, and their ruthless exploitation of these vulnerabilities results in millions of breaches and billions of dollars lost every year.
Social engineering only works on employees who aren’t concerned about basic cybersecurity hygiene and don’t know how to identify a suspicious email or other signatures of a cyberattack. Employees with the right training, on the other hand, have developed the right habits to help them spot and thwart cyberattacks. Let’s take a closer look at a few of those habits.
- Ensure that account credentials are secure. According to Verizon’s 2021 Data Breach Investigations Report, credentials are the type of data cybercriminals most want to steal in a breach. This is because credentials can be used to access a vast pool of sensitive data, from bank account numbers to healthcare records, which is why they’re involved in 61 percent of breaches. But a survey conducted by Google and Harris found that many people still refuse to adopt even the most essential credential security measures: just 37 percent use two-factor authentication, around a third change their passwords regularly, and a mere 15 percent use a password manager. Meanwhile, a quarter report that they’ve used generic passwords like “password” and “ABC123.”All of these habits leave the door wide open for cybercriminals, which is why cyber-aware employees always use complex and original passwords, update them frequently, and use password managers.
- Confirm the senders and recipients of messages. Cyber-aware employees always know exactly who they’re communicating with, which protects them from many of the most common and destructive cyberthreats. For example, wire fraud is a form of social engineering in which cybercriminals send fraudulent requests for direct payments, and companies have seen a drastic increase in these attacks over the past decade. Employees can defeat these attacks by identifying irregularities in transfer requests (such as altered amounts, account numbers, and contact information), refusing to accept email or SMS voice confirmations, and calling legitimate institutions to verify that requests originated in the right place. These aren’t just strategies employees should observe with wire transfers, either – they apply to any digital communication.When employees receive what they suspect is a malicious email, it isn’t enough to avoid clicking – they should contact a manager or someone in the IT department to report the threat. This type of proactive threat mitigation will ensure that everyone in the company is on guard against potential cyberattacks.
- Don’t overshare or overuse information. Verizon has found that personally identifiable information (PII), – which refers to any information that can be used to identify someone and is also known as “personal data”– is the most common type of data to be breached. According to Pew, 64 percent of Americans have “at least one online account that holds their health, financial or other sensitive personal information,” while the exact same proportion of respondents have “experienced or been notified of a significant data breach pertaining to their personal data or accounts.”
This is because most people have bad habits when it comes to information security – 39 percent have reused their social media login credentials on other sites, while a significant proportion of employees overshare online. Employees can keep their information safe by changing social media settings to private, practicing good password hygiene, and refusing to share information with unknown recipients.
- Use all the cybersecurity tools at your disposal. While we’ve discussed some of the resources that employees have to keep personal and company information safe (such as password managers and multi-factor authentication), there are many other tools that should be non-negotiable for a cyber-aware workplace. For example, as many companies continue to allow employees to work remotely, VPNs are becoming more and more crucial. Public WiFi can easily be exploited by cybercriminals (through direct infiltration or the creation of fake hotspots), but the vast majority of people still use it – and many don’t use a VPN when they do so.
- Know how to identify a phishing attack. Phishing is by far the most common type of cyberattack – according to the FBI, there were more than 241,000 reported victims of phishing in 2020, while Verizon confirms that it accounts for over 80 percent of social engineering attacks. Phishing is a broad category of cyberattack, which encompasses everything from business email compromise (BEC) – in which cybercriminals impersonate people in positions of authority or gain direct access to their email accounts – to mass emails that contain malware. Because phishing is used so widely, effective countermeasures include many of the habits listed above – from credential security to verified communications.
But there are other warning signs employees should be able to recognize and proactively report to management: emails and other digital communications that demand immediate action or use threatening or coercive language, URLs that aren’t encrypted (always look for the padlock and “https” on the left side of the address bar), emails with broken English or international domain extensions, and link previews that don’t make sense.
Despite the fact that public awareness about cyberthreats has never been higher – owing to major news stories like the recent Colonial Pipeline hack – the FBI reports that the total number of cyberattacks (as well as the amount of financial damage they cause) only continues to rise. But this doesn’t mean all employees are falling for these attacks – an ever-increasing number of employees are establishing healthy cybersecurity habits. While there’s still a long way to go before these habits are commonplace at most companies, we already know which ones are worth focusing on – it’s just a matter of providing the right education as widely as possible.