Before I get into cybersecurity, I want to start by asking a simple question. Would you be comfortable with a forklift operator working without receiving proper training?
Hopefully, your answer is “NO”. They could do a lot of damage to your business if they don’t know what they are doing, right? What a massive and unnecessary business risk that would be.
Now a follow-up question: how much damage could an untrained computer user unleash on your corporate network?
The answer, it turns out, is a lot.
In fact, two-thirds of ransomware entry points are through phishing emails. This means that employees are duped into clicking malicious links and/or installing malicious software which results in the corporate network being compromised.
Attackers will often use social engineering to manipulate their victim into doing something that they really shouldn’t do. They often using specific information to appear legitimate, such as posing as an executive or business partner.
Where Do They Dig Up This Information?
How can an attacker learn so much about your company and employees to make such targeted attacks? Do they scour the Dark Web or mine hidden databases?
Probably not. Why would they go through that hassle when there is so much juicy information that’s being broadcasted publicly?
Take a look at your own corporate website. Think about what an attacker could learn, and how he/she could convert that into a convincing phishing email.
Still not sure? Try this trick. In your Google search, type:
filetype:pdf site:emkal.ca
(Where “emkal.ca” is your company domain)
This will show all PDF documents that are hosted on your site, some of which should not be made public.
While writing this blog post, I was looking for a relevant example to demonstrate what kind of information could be harvested. I investigated hospitals because they are commonly targeted by threat actors. I found a very good example (redacted image below) of a Privacy Awareness Training document which includes full contact information for the Chief of Staff. This is basically telling an attacker who to contact, and what the content of their phishing email should include.
The takeaway here is that over-sharing on a website can be exploited by attackers to gather the requisite reconnaissance to launch an attack.
What Can You Do About It?
One solution is to tighten up how much information is shared through your website. However, there will always be information that you will need to share, or will be shared by your partners/vendors, your employees on social media, or through competitive intelligence sites.
Although you cannot fully control how much information is shared about your company, you CAN control how resilient your employees are to these attacks. The solution here is robust user training for cybersecurity awareness.
There are many solutions out there, but the one we recommend is the ESET Cybersecurity Awareness Training. They have a free option, but the real power of this training is unlocked in the premium version, which allows simulated phishing emails to be sent to test how well employees are actually responding to threats.
What’s Involved in Making this Happen?
The technical complexity of rolling out cybersecurity awareness training is somewhat low. It takes some IT know-how to setup the online portal, configure email settings to allow simulated phishing to flow through, and manage the learning materials.
The cost is also reasonable at about $20/user/year, so it won’t break the bank.
Training takes about 90 minutes in total and can be done in small increments, so it’s not too much of a bother for employees.
So overall this is a low-effort, low-cost, high-impact security measure.
What’s Next?
If you have never received formal cybersecurity awareness training at your workplace, this is something that you should be requesting and advocating.
If you’re concerned about the IT complexity aspect of setting up this training, or any other IT security solution, you can contact EMKAL anytime to discuss!