Be smarter than a hacker
National Cyber Security Awareness Month has been running for 20 years this October – two decades dedicated to encouraging us to take care online and look after our data and finances so we’re not left frustrated and out of pocket by scammers and hackers.
Focusing on the human element of cyber security, the theme this year is “Be Smarter than a Hacker”. What are you doing to protect yourself and your business from cyber criminals? You can have all the sophisticated technical defences in the world, but if you and your staff are not prepared for the attacks that slip through the net, it’s a question of when, not if, you will fall victim to a scam.
Don’t act against your own self-interest
Social engineering is getting you to act against your own self-interest, often by convincing you that you’re taking care of a pressing problem or an urgent request. Scammers and hackers will attempt to manipulate, influence and deceive you to hand over information which will allow them access to your personal and company data.
Criminals want your unthinking obedience to their request. They make this work for them by appearing authoritative, putting you under time pressure and contacting you via communication channels, like email, where you are often already overloaded with communications and keen to work through them quickly, hoping you will slip up.
If you receive a genuine email from your manager with an urgent request, it’s a given that you usually want to reply quickly with all of the information requested, but what happens when it’s a scam posing as genuine?
Phishing, vishing, smishing – what are you missing?
Many social engineering attacks utilise phishing to gain the information they want, which can be via email, phone calls (vishing) or texts (smishing). Email is the most popular medium because it’s used all day, every day, especially between businesses, with an average of 350 billion emails sent every single day.
Vishing and smishing are also becoming more common as they are used to appear more authoritative – would your bank send you an email or would they call you if there was an urgent issue? They’d call you because time is of the essence. Criminals utilise this same tactic to deceive you, ensuring you’re worried and shaken up, and then get you to follow their directions. But remember, banks will never ask you for your password or other details that might compromise your account. Be smarter than a hacker – think twice and verify the request before acting hastily.
If you want a great example of social engineering (this one is vishing), you can see it in practice here. Just sharing this video with your team counts towards your security awareness training. Why not add it as a 3 minute watch to one of your regular meetings?
Training, training, training
If you are a manager, your job is to ensure people are being productive and getting on with the job, but it’s likely you’ve also told people once or twice to hurry up or get a move on! But security awareness training asks users to slow down, be aware and think before they click.
It’s crucial to recognise the signs of being scammed, how to notice when people are trying to phish for your data and when an email comes from a well-disguised source. Whilst technical defences can limit the amount of these attacks that slip through the net, some are still bound to reach your users – dealing with them properly is paramount.
Make no mistake, criminals are clever, innovative and getting more sophisticated by the day. But you can be smarter than a hacker by staying ahead of their game. Regular training reinforces the fundamentals and keeps your staff informed of recent changes and developments.
Training is not limited to just teaching your users about how to recognise a breach, but practising what to do if one occurs. This means having a recovery plan and testing it regularly before a real breach occurs. This also means encouraging your users to report breaches as soon as possible – it’s far better to admit to clicking on a dodgy link so you can catch a breach early, than waiting weeks or months to feel the repercussions first-hand. Ensure that your workplace has a zero blame policy.
For training to be effective it has to be regular. Regular training stresses the severity of the threat of phishing and other forms of cyber crime, and helps it become second nature to your staff. Security always comes at the cost of convenience, but we should all be operating with a security first mindset. Whilst they may slow you down, spending the extra few moments to ensure you’re operating safely will always outweigh the cost of a breach.
How else can I take responsibility?
Whilst we’ve highlighted phishing as a predominant issue and used it as our example, there are lots of areas where you and your staff can take personal responsibility, such as:
- Use strong passwords and add MFA everywhere you can – and be aware of MFA scams!
- Test your phish prone score and work towards improving it.
- Be aware of your surroundings when using mobile phones and laptops.
- Protect your device when leaving it unattended.
- Don’t use public WiFi if you can help it – your mobile hotspot is always better.
- Limit access as much as possible, and deny admin rights to your users.
- Dispose of old equipment securely.
- Make sure all new starters get taken through your cyber security policy and are given training early on.
- Always make sure your data is regularly backed up.
We hope that this article can you help you to DIY or update your security awareness training. Even sharing the official song of European Cyber Security Month 2023 can help! But if you’re struggling to implement or update your security awareness training, or aren’t seeing results with your current efforts, get in touch to find out how we can tailor training to your business needs.
We wish you a cyber-safe October and beyond!