April 27, 2020 by Tim
In my recent presentation on ransomware (replay here), I touched on what I call the human factor of cybersecurity. The basic idea is that most cyberattacks require human assistance from the victim to execute. That could mean clicking a bad link, opening a malicious email attachment, or even falling for a tech-support phone scam. Though it may be difficult to hear, the reality is that users’ mistakes are responsible for the majority of cybersecurity incidents.
“But wait,” you might say. “Isn’t this a cop-out? After all, people hire you to help them with cybersecurity! Are you just saying it’s all on us?”
Answer: of course not! The human factor is not the only element of a good cyber defense. A security professional also uses network monitoring, antivirus software, spam filters, application blockers, and many other tools to secure a network. However, it’s also his or her job to give good advice, and to honestly assess the risks clients face. To that end, there’s no use in hiding the truth: in a a small/medium business setting, the human factor is the most important by far.
Just look at the numbers. In 2019, cybersecurity firm Proofpoint found that 99% of cyberattacks “require human interaction to succeed” [source], meaning that basically all cyberattacks exploit the human factor.
Fundamentally, exploiting human weakness requires tricking someone. Obviously, no one wants to let an attacker into their network on purpose. Let’s look a at a few of the ways that attackers are able to trick folks into helping them do their dirty work.
Phishing is probably the most common form of cyberattack seen today. A typical phishing scam involves a fake webpage that’s meant to imitate a real site. The goal is to trick you into entering your password on the phony page. The attacker is then able to capture your password and use it to access your real account.
Usually, scammers will distribute phishing links via email. These messages will often include a plea for urgent action: “Your password has expired! Visit our site now to reset it!”
It’s important to always be on the lookout for phishing scams when checking email. Here are some of the tell-tale signs of phishing:
Fake-book.net, definitely not the real Facebook.com!
Remember: when in doubt about an email, delete it!
Social engineering simply means using people skills instead of technical ability to perpetrate a cyberattack. For example, an attacker may call your office pretending to be from Microsoft support, asking that you allow them to remotely access your computer. That’s a basic example, but social engineering attacks can be a lot more sophisticated that that. Cybercriminals will often “case” their target, searching the Internet for information they can use in an attack. One strategy is to discover the name of another company or person you do business with, and then call or email pretending to be them. “Hi, this is Steve from ABC Contracting. I was wondering if you could send over a copy of that document. I’m home sick, so can you send it to my personal email? That’s fakesteve@email.com.”
So, what steps can we take to minimize the human risk factor? Let’s take a look at a few preventative measures.
When it comes to managing the human cybersecurity risk your company faces, a little training goes a long way. A training session of just hour or two is enough to teach your team the basics of how to spot a phishing email or social engineering attack. Most importantly, cybersecurity training helps to create a sense of vigilance. Attackers are counting on the fact that people won’t think twice about a scam. If you can make it so that folks are just a little more suspicious when a funny-looking email lands in their inbox, you’re already ahead of much of the competition when it comes to cyber-defense.
Green Mountain IT Solutions offers cybersecurity training at reasonable rates. Training sessions take only 1-2 hours. Contact us today for details.
Even with properly trained users, the chance remains that someone could still be fooled by an attacker. That’s where your second line of defense– access control– comes into play. Make sure that every person at your company only has access to the computing resources that he or she needs. Usually, the bookkeeper doesn’t need to have access to every file on the network. The Engineering department doesn’t need access to the Marketing files, and Marketing doesn’t need access to Engineering. By setting up this kind of segregation, you can limit the impact of any possible cybersecurity incidents. You may still experience some losses or data breaches, but that is a lot better than losing everything.
As always, I’ve saved the best for last. We’d all prefer not to lose anything if it can be avoided, and that’s why having a good backup should be a number-one technology priority. When you have a strong backup system in place, you can be confident that you will survive whatever cyberattacks your business may face. This means having backups stored both on-site and off, and testing them regularly to make sure they work.
Not so confident in your business’s backups? Contact Green Mountain IT Solutions today and re-gain your peace of mind. We’ll set you up with a bullet-proof backup that will be there when you need it.
That’s all for this week! Don’t forget to fill out the subscription form at the top right of this page to receive new posts weekly via email.
