Organizations must be accountable for guarding against cybersecurity, they must be fully aware of current risks, and they must be proactive about Cybersecurity education.
As cybersecurity increasingly becomes an agenda item inside the executive boardroom, organizations continue to recognize their own accountability in guarding against cyberattack.
But what about end users? How accountable are they?
It’s an interesting question raised in a recent news article published in KnowBe4’s Security Awareness Training Blog.
According to the report, a woman is being sued for sending approximately 250K of her employer's cash to an online fraudster. Patricia Reilly, who was working for the UK Peebles Media Group fell for a CEO fraud scam where the criminals sent her emails pretending to be her boss, Mrs. Bremner, who was on vacation.
Mrs. Reilly was eventually dismissed from the firm for her actions.
Lawyers acting for the company accuse Mrs. Reilly of being negligent. They have described her actions as "careless and in breach of the duties - including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer," according to the article.
Spear-Phishing campaigns such as this are extremely common. The blame game between end user and executives, while less common, is a means to the same end: With the lack of a holistic, proactive security awareness training regimen, organizations are only as strong as their weakest end user link.
If the Peebles Media Group suit tells us anything it's this: Seems like an opportune time for employee security training.
Organizations must be accountable for guarding against cybersecurity, they must be fully aware of current risks, and they must be proactive about Cybersecurity education.
Be Accountable about Cybersecurity
Businesses today throw money and technology toward cybersecurity threats. A few examples: firewalls, content filters, encrypted data and email, virtual private networks, antivirus and anti-malware tools.
While these measures build a foundation for securing your company information, hardware alone leaves wide open gaps in protecting against Social Engineered Attacks. This refers to a modern-day attack vector that uses naivety of humans to infiltrate networks.
It might be a phone call with a spoofed number. It might be a seemingly legitimate email from an organization requesting a bid for large amounts of product. In the case of the Peebles suit, it was an email from a cybercriminal disguising themselves as a superior.
Beyond the infrastructure in place, what about employee education? What is your company doing to educate its team for recognizing and avoiding these sly, malicious tactics?
Be Aware of Cybersecurity Risks
Knowing the behavior and identifying the types of risks involved is an obviously crucial step in
Consult with your business technology partner to stay on top of emerging threats – cyberattack types are a revolving door in today’s digital era.
A few terms you should be well aware of:
- Phishing: An email-based scam using brand-name company logos to send emails to individuals to reveal personal information or click malicious links.
- Spear-Phishing: Similar to phishing, however specific individuals within a company are targeted for exploitation.
- Social Engineering: The term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
Be Proactive about Cybersecurity Education
Perhaps your organization sends out a monthly email with a number of cybersecurity tips.
Even more, your IT director gives a presentation at a company-wide meeting. This makes me imagine the Charlie Brown cartoon. You remember...when he speaks to his teacher, all he hears is “Wah wa wa wah wa wa wah.”
Chances are, 50 percent of those attendees are hearing what Charlie Brown hears. 25 percent are buried in their smart phones. And the other 25 percent retain the information for three hours or so.
My point? You must be proactive.
One example would be, through partnering with a reputable business technology partner, setting up a program that provides initial training, and follows up with sending out fake phishing emails to employees. If they click on the email “bait,” They’ll get a message that reads “Oops! You just clicked on a Phishing email!”
IT directors or business owners can also receive management reports that detail who the employees are that continue to click on these “malicious” emails over time.
Meanwhile, in the case of the Peebles Media Group, the party suing the former employees have described her actions as "careless and in breach of the duties - including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer."
The firm has claimed that she should have realized the emails were suspicious.
The defendant’s claim? In calling for the case to be dismissed, she says she did not receive any training on how to spot online fraud.
Which begs the very simple question to every business owner today: When it comes to online fraud, phishing, and social engineering, how well is your team trained?
Begin shoring up your cybersecurity landscape - from technology to end user education - with a thorough Network Risk Assessment! Interested in learning more? Let's talk!
