Metrics and chill: Cybersecurity Metrics for protection and peace of mind Psst: CISOs and experts, this is one of our beginner-oriented articles! If...
5 Scary Cyber Security Gaps if You Only Train Users on Phishing
GAPS iN cYBER sECURITY rEMAIN oNE oF tHE mOST cHALLENGING iSSUES fOR smALL bUSINESS OWNERS
Small businesses bear 43% of the brunt of cyber-attacks, opening them up to huge liabilities. This includes business closure. Of those attacked, 60% will go out of business within six months. As only 25% of SMBs currently train on ‘cyber awareness’ and most of that effort is spent on phishing… here are a few things to consider as you mature (or start!) your awareness program.
SCARY SECURITY GAPS
A survey conducted by GetApp reports 43% of employees do not get regular data security training while 8% have never received any training at all. Since 95% of successful attacks start as phishing emails, we can confidently state that phishing is the biggest cyber threat to small and midsize businesses, no joke. And most cybersecurity training for SMBs and tools is almost entirely on phishing attacks.
But are phishing attacks really the only cyber threat that we should be worried about? There are several other ways that a hacker can get what they want.
In this post, we’ll talk about other potential ways that attackers target you, most of which don’t even need a computer.
1. MOBILE SECURITY
Poor mobile security habits can come in many forms. The increasing functionality of mobile devices makes taking work out of the office ever easier, and the trend toward Bring Your Own Devices (BYOD) policies continues to blur the lines between work life and home life.
From an efficiency perspective, this isn’t such a bad thing; working from a familiar mobile device means no need to spend time and brain space figuring out how to use a new device.
However, from a security perspective, a poor BYOD policy can be an organizational nightmare. It’s not uncommon for people to download apps without really thinking about the potential security concerns.
Have you ever downloaded a flashlight app to your phone? Ever think about the permissions that it asked for and why it needs access to your text messages and the Internet? Things have been improving lately, but in the past, flashlight apps were notorious for being Trojans that installed malware on your smartphone.
Discarding phones used for work is another huge hole in many organizations' cybersecurity.
- Do you perform a memory wipe of any device that previously held sensitive company data before throwing it away?
- Or do you rely on the fact that the phone is protected with a PIN number?
- Did you know that devices that can guess a phone's 4-digit PIN number in less than 17 hours are available for sale for less than 250 Euros?
Any reasonably motivated hacker could snag a discarded (or lost) company phone and have complete access to sensitive company information stored on it and any logged-in accounts within a day.
2. PHYSICAL SECURITY
Most organizations are aware of the need for physical security, but most of them don’t go far enough. While important, a clear delineation between the “public” and “private” areas in your building just isn’t enough to deter an attacker. In order to protect your people and your property, you need to think outside the box about potential holes in your security setup.
How many of the people in your organization are nice and helpful? We hope it’s quite a few!
If one of them saw a mailman struggling with a load of packages or someone carrying a large box, what are the odds that they’d hold the door for them? Do you think that they’ll be thinking about the fact that everyone coming through the door is supposed to swipe their ID card? While impersonating a member of the federal mail service is illegal, there is no law against dressing as you work for UPS, FedEx, etc.
Even if there were, a suit, a cup of coffee, and an important-sounding phone call give an air of authority and an excuse not to do anything but give a nod of thanks while walking through the open door.
3. DUMPSTER DIVING
Dumpster diving is a low-tech, low-cost method of collecting sensitive data about an organization. Anything from an old company org chart to photos of the last company picnic can give an attacker information to use in a phishing or other attack.
Dumpster diving also happens to be a surprisingly low-risk method of gathering information. Are your organization’s dumpsters located on private property all of the time or are they located on or moved to public property for collection?
According to UK and US law, dumpster diving is completely legal as long as the dumpster diver is not trespassing in the process. If your trash (and valuable company information) is located on public property, it’s fair game for an attacker.
Think that you have good security habits when working remotely? Have you ever taken a work call in a cafe, airport, etc.? If so, did you greet the caller by name?
Maybe name your organization or talk about topics that would let someone guess where you work? If so, you’ve given anyone in earshot enough information to attack your organization. Just consider what an attacker could learn by dropping a few names and facts gathered from eavesdropping on your conversation and doing a bit of open-source reconnaissance.
Other risks are also present when working remotely. Using public WiFi carries risks ranging from attackers eavesdropping on and data mining your web traffic for useful nuggets to malicious networks where attackers take advantage of proximity to attack your computer. Working in public also carries the risk of shoulder surfing, where someone watches you type in a password or looks over your shoulder at sensitive company information. You can learn a lot about a person just by listening and keeping your eyes open when hanging out in a public place.
4. SOCIAL ENGINEERING
Social engineering is a big topic in cybersecurity. Even ignoring phishing attacks (which are bad enough on their own), social engineers can bypass your personal and company security measures in a variety of ways. Social engineers take advantage of human psychology, habits, and instinctive behaviors to manipulate people into doing what they want.
Say someone walks up to your company’s front desk holding a USB drive that they claimed that they found lying in your company parking lot. Maybe it even has a label on it saying “If lost, return to Your Company at Your Company Address”. What will most people do when faced with this situation?
Probably thank the helpful person and then plug it into a computer to see if there is any clue on it as to whom the drive belongs. And if the USB drive has malware set up to run when the USB is plugged into a computer? Oops.
To put this in perspective- only 27 % of companies provide social engineering awareness training for their employees according to a recent survey (link) and almost 75% of businesses are vulnerable, thus endangering customers’ records, employee data, intellectual property, and more.
5. SUPPLY CHAIN
Many organizations think about the quality of their supply chain. If you put a defective widget into your product and it breaks, your customers don’t blame the widget-maker; they blame you. For the sake of your bottom line, you need to make sure that every component that goes into your product meets minimum quality standards to avoid reputational or legal repercussions.
Have You Considered The Security-Side Of Your Supply Chain?
If the software that your organization develops includes code that is vulnerable to malware, then your code is probably vulnerable too.
Have you heard of the Equifax breach? The loss of millions of people’s sensitive data was caused by Equifax using software with a vulnerability that they failed to patch. But no one seems to be mad at Apache for writing vulnerable code in the first place, they blame Equifax for not taking the appropriate steps to fix code that they inherited from their suppliers.
PROTECTING YOURSELF AND YOUR ORGANIZATION
The common thread between all of the scenarios described in this post is that they are fixable with a well-developed cybersecurity strategy.
Some, like the potential for malicious apps on BYOD devices, have technological solutions. Others involve developing procedures for securely managing certain situations or deploying a cybersecurity education program that prepares your organization for all of the threats that it’s likely to face rather than the most common or those in vogue at the moment.
By taking the time to carefully consider the risks and develop plans to address them, you can protect your organization and your employees both professionally and personally.
Developing a security-aware culture and thinking about risks from the human perspective, how you can empower your teams to be a strong line of defense, is a key step for all sized organizations.
Are you enjoying our articles and finding yourself interested to understand more about how Cybermaniacs focus on behavior change in the work culture? Then you will be interested in Channeling Edna Mole as CISO for Creating Cyber Secure Humans
The Cybermaniacs create cyber-secure humans through our learning experience platform and unique approach to change. Fuzzy on the outside, data-driven on the inside, our cyber awareness training content is sure to delight all demographics at your organization. Learn more about our platform and take a ride on a free demo.