The Undercover Recruiter: Your Business at Risk of a Cyber Attack
An extract from another interesting article from the team at "The Undercover Recruiter" regarding Cyber Attacks - click on the link to find our more or register for their regular updates:
How Your Employees are Putting Your Business at Risk of a Cyber Attack
Over the
last 12 months, 32% of all businesses identified cybersecurity breaches,
according to the Cyber Security Breaches Survey. The most common attacks
reported by companies that detected attacks were phishing (80%), impersonating
an organization in emails or online (28%) and viruses, spyware or malware,
including ransomware attacks (27%). All these attacks take advantage of
employees and pose significant risks to businesses.
An
effective cybersecurity strategy must involve appropriate controls to maintain
a base level of security, and a monitoring system to look for attempts to
violate the policy, which should be underpinned by training for all employees.
Many companies fail to consider that their people are as important as the
software they use when it comes to protecting themselves against cyber threats.
Progressive
technology provider Evaris is urging recruiters and HR managers to make the
provision of basic IT training mandatory during the onboarding process for new
employees to help reduce the risk of costly security breaches.
Lack of
IT training in UK businesses
There is an assumption that new employees have at least a basic knowledge of IT and IT security, and despite companies understanding the threat that users operating within the infrastructure can cause, these skills are not being checked within the first month of employment.
A survey
conducted by Evaris found that 65% of UK professionals did not receive
mandatory IT training in their first month of employment in their current or
most recent role. Of these individuals, 74% had never received any IT training
at all in their current or most recent role, despite 86% of all respondents
saying that they worked on a computer every day.
What’s
more, there is a consensus that employers do not value the ongoing development
of their IT skills. Some 45% of respondents said their employer takes the
development of their IT knowledge either “not so seriously” or “not at all
seriously”. Just 11% said they felt their managers take this issue “very
seriously”.
How
hackers target employees
There are
several low-tech methods that hackers use to take advantage of employees – some
of which may seem too simple to be believed. These methods include:
- Social engineering – hackers posing as people within an organization to obtain access to the network, for example, presenting themselves as a member of IT security and asking for a network password.
- Baiting – hackers use data captured about an employee to trick them into revealing information. An example is using the information listed publicly on LinkedIn to target a junior employee by posing as the CEO to request an action to be carried out.
- Unsubscribe buttons – hackers coax employees into downloading malware by hiding links to malware sites in email unsubscribe buttons, which must be included on all marketing emails.
- Keylogger – also known as keyboard capturing, this technique records and stores strokes of a keyboard and can often pick up personal email IDs, passwords and other sensitive data.
- Internal threats – current or former employees can gain unauthorized access to confidential data, or infiltrate a business’s network with malicious intent. This can include infecting machines with keylogging software or ‘shoulder surfing’ – the act of observing someone typing their password.
The
relationship between personality and cybersecurity
Multiple
studies have been carried out with the intention of exploring the relationship
between personality traits and how they impact a person’s ability to comply
with security policy or increase the risk of being a victim of cyber security.
Whilst their findings vary and are never definitive, they do tend to share a
common set of findings.
Individuals
who are extroverted are more likely to violate cybersecurity policies when
compared to conscientious or neurotic individuals. Social media users who rank
highly in openness to experience are also more likely to set fewer privacy
settings, which makes them vulnerable to attacks.
Women who
are categorized as conscientious tend to fall victim to phishing scams.
However, there does not appear to be a correlation between a man’s personality
type and his vulnerability to phishing.
In nearly
all of the studies, the intent of an individual and their actual behaviour can
be very different, exacerbating the ability to predict security compliance behaviours.
It is far too easy for an organization to adopt a one-size-fits-all approach to
cybersecurity; however, this does not consider the various personality traits
of their users. For example, ‘neurotic’ individuals who feel they are
diligently following a security policy yet are open to phishing attacks, the
social media user for whom openness is the norm and will select the bare
minimum of controls, and the renegade extravert who sees the violation of
policy as a challenge are not considered in a ‘catch all’ security policy.
What
should businesses do?
It is in
the best interests of all businesses across the board to ensure their employees
have all the knowledge, awareness and skills they need to help protect the
company against costly cyber-attacks and data breaches. This means ongoing
education and training, with the active involvement of the company’s IT
department.
Each person in the workforce – from the minute they start with the business – should receive training to understand data management, protection and disposal best practice. The threat of cybersecurity attacks should not be underestimated, and it is up to employers to ensure that their staff have the tools they need to ensure company data is always protected.
About the author: Mike Cohen, CEO at Evaris. He has more than 35 years’ experience in the IT sector and is a respected thought leader in the industry and has held a number of senior roles, including interim management and managing director positions during his career.
The Undercover Recruiter: Your Business at Risk of a Cyber Attack.