Security has become a necessary expense that organizations must budget for in today’s day and age. Hacking, viruses, malware, and ransomware are becoming more common and more sophisticated every year. As such, defenses need to constantly be evaluated and updated to stay current. Most organizations put a heavy emphasis on security hardware and software, as these are key weapons in the security fight; they look at what they can purchase to put up the best defense, and they don’t look much further. In reality, this leaves a key piece of the technology infrastructure virtually unprotected…
Users are often the most vulnerable point of entry into any system.
A large segment of business owners feel that users are capable of discerning a legitimate email from spam and spoofed emails. The statistics show otherwise. The truth is that a large percentage of users fall victim to very clever schemes that end up providing access to valuable company resources.
According to Verizon’s 2016 Data Breach Report, 30 percent of phishing emails were opened, and 13 percent of those opened emails clicked a bad link. Oftentimes, the security doesn’t catch these events until after the malicious payload has already been deployed.
Just a few months back, a cyberattack where users were tricked into clicking a fake email that spoofed as someone they knew, asking for a non-disclosure agreement to be updated and signed, went viral. This is one of the most elaborate scams I’ve seen—from the branding of a well-known software vendor, to the language—there were no obvious signs that anything was out of place… The scam went as follows:
- A link in an email took users to a page asking them to validate their account, and prove that they were who they said they were by authenticating against a cloud resource
- Once they entered their credentials, the hackers gained immediate access into their email accounts
- From there, hackers could create the same message—only, at this point, it became a legitimate email from each of the hacked users, and it sent to every contact in their own address books.
- Finally, many of the users who regularly did business with the hacked user assumed that the email was credible, and they then followed suit by clicking the link to sign the agreement for themselves
…A successful hack now had traction. In addition to being able to reach and trick more people, the attacker also had credentials to access whatever systems that specific user had access to. The attack could’ve gone even further and embedded remote access software, ransomware, or any number of malicious attacks to go along with the password theft that they successfully distributed.
Human error is the single largest vulnerability on the network. While the vast majority of security incidents are innocent mistakes, there are a number of areas that target end users, ultimately placing the organization at risk. End users need to be made aware of the following threats:
- Phishing emails
- Emails that contain a virus
- Websites that have viruses and malware embedded
- Weak, stolen, stale or default passwords
- Lost equipment containing company files
IT security teams implement security measures to mitigate risk at a cost-effective level. Recognizing that end users are one of the largest vulnerabilities on the network, it stands to reason that training those users would reduce the overall risk to your infrastructure. Just like other security measures, security awareness training isn’t guaranteed to eliminate risk, but the intent should be aimed to mitigate that risk.
I encourage all of our clients to make recurring end user security awareness training a priority. It’s perhaps one of the most cost effective tools to use in cyber defense. The expenses are relatively low to implement and the rewards could end up saving your organization.
To measure how ready you and your team are defend against emerging threats, check out our cyber guru’s blog, which includes a simple, secure quiz.