NCSAM: Keep Attacks At Bay With Employee Security Awareness

October is National Cyber Security Awareness Month (NCSAM) and like Halloween, cyber threats can be pretty scary. This month, we will post a series of articles to help minimize IT security risks through end-user awareness and training.

What is National Cyber Security Awareness Month?

Started in 2003, National Cyber Security Awareness month is a collaborative effort between the Department of Homeland Security the National Cyber Security Alliance. Each year, NCSAM highlights different themes with a strong focus on helping consumers avoid becoming victims of cyber attacks.

Because we are a Managed IT Service Provider for businesses and organizations in a multitude of industries, we wanted to focus on how cybercrimes affect companies. Cyber attacks are the biggest threat to organizations today, and they don’t just prey on large corporations. Cybercrimes targeting companies with less than 250 employees have steadily increased over the last five years, affecting 61% of SMBs in 2017.

Biggest Security Risk

Employees are the weakest link for organizations when it comes to cybersecurity. Even if your business has deployed all the security tools possible, including anti-virus and anti-malware software, firewall, email, and web filtering, etc., an action by a single employee can cost your business thousands of dollars or compromise customer and employee data. If attackers can bypass all of these methods, you can bet they are sophisticated enough to trick your employees into opening an attachment, clicking on a link or even transferring money to a fraudulent bank account!

So what are the most common ways these cybercriminals are using your employees to infect your network?

Social Engineering

Social Engineering is a term used to describe the psychological manipulation of people into performing actions or divulging confidential information. There are several different ways cybercriminals use social engineering to attack businesses. Below are some examples, but we will talk about the most common type of scams more in-depth.

• Phishing, spear phishing, and vishing:
  Most common form. See below.
• Watering hole:
  Attackers set traps in websites their target victims are known to frequent.
• Pretexting:
  Cybercriminals create a fabricated scenario to obtain privileged data.
• Baiting:
  Attackers leave physical forms of media (CDs, DVDs or USB drives) with legitimate-looking and curiosity-piquing labels in public places that are infected with malware.
• Tailgating:
  An attacker follows a person into a restricted area by simply walking behind them.
• Quid pro quo:
  The cybercriminal offers a service or benefit in exchange for information or access.

Phishing

Phishing is still one of the most common methods cybercriminals use to trick employees, and the emails are getting better and more legitimate-looking. Gone are the days of phishing emails being easily spotted due to bad grammar, suspicious sender email addresses and low-resolution graphics. The new phishing emails are extremely convincing and oftentimes look exactly like the company they’re trying to emulate.

While phishing emails are usually general and sent out to a larger group of people in hopes of tricking a small percentage of the overall target, spear phishing attempts are mostly sent to 10 or fewer mailboxes. With spear phishing, attackers already know information about the victim or the company they work for, making the email all the more convincing. This information is sometimes gleaned from social media posts by the individual or company. Successful spear phishing is the cause for 95% of all attacks on enterprise networks, according to the SANS Institute.

Vishing, or voice phishing, happens when the victim is called and manipulated into giving up sensitive information over the phone. Typically, the attacker pretends they are with a bank, government organization or trusted company and requests account credentials to verify the victim’s identity.

CEO Fraud

CEO Fraud, also known as Business Email Compromise (BEC), is a type of spear phishing attack and continues to increase year over year.  This threat targets employees and involves the attacker spoofing an email from the CEO or other top-level positions within the company to request a funds transfer or private personnel or customer information. The FBI reports that BEC attacks caused $5.3 billion in losses between 2013 and 2016.

Here is a CEO Fraud scam scenario:

A cybercriminal learns that John, the CEO of XYZ Corp, is out of town at a conference through a post on XYZ Corp’s Facebook page. The attacker checks xyzcorp.com for a list of employees and is able to get the name and email address of Jane in the accounting department. He then spoofs John’s email address and sends the following email:

“Jane, are you busy? I need you to process a large wire transfer for me as I will be tied up at the conference all day. Let me know when you’re available and I can send the recipient’s details.  Thanks, – John.”

Jane responds “Sure, I can help. Please send me the information and I will take care of it as soon as possible.”

The attacker emails the amount of the transfer and account details and Jane transfers the money.

Cybercriminals have also used this method of attack to trick HR employees into sending W-2s and other sensitive information.  Over 200 employers were attacked in 2017, leading to hundreds of thousands of employees who had their identities compromised.

How to Reduce Your Risks

The most effective way to reduce your cyber risks is by educating the employees in your organization so they know what to be aware of. Yearly and quarterly security awareness training is A MUST for every company, big or small, and especially for healthcare, government agencies, financial institutions, manufacturing, and legal companies.

It is your entire organization’s responsibility to be vigilant when receiving electronic and phone communication. Here are a few steps to help mitigate your cybersecurity risks:

• Raise awareness:
  Make sure all employees know what to look out for and receive yearly and quarterly security awareness training.
• Be on the lookout for fake emails:
  Carefully check the domain names on emails, watch out for spelling and grammar mistakes and review logos and graphics in the message.
• Avoid clicking links and attachments:
  Confirm with the sender when you receive attachments to make sure they actually sent you something. Hover over links in emails to display the destination URL before clicking to make sure you will be taken to a legitimate website.
• Do not give personal or sensitive information:
  Most companies will not ask for sensitive data over the phone or through email. Go to the company’s website by doing a web search any time you need to log into your account or to find the correct Customer Support phone number.
• Have internal processes in place to avoid CEO Fraud:
  Require that employees go through a 2-step verification process (verbal or in-person) when requested to wire funds or provide sensitive data via email.

Centre Technologies uses a layered security approach to protect our Secure Managed Services customers and IT infrastructure, which includes employee security awareness training. Check with your IT staff or service provider to see what they recommend for your organization.

To learn more about National Cyber Security Awareness Month, visit the linked National Cyber Security Alliance and the Department of Homeland Security pages.