The Best Cybersecurity Investment You Can Make
While the cybersecurity industry has no shortage of new malware strains to track and new vulnerabilities to patch, one thing remains stubbornly constant: for years, the number of data breaches caused by phishing attacks has hovered around 90%. This means that no matter how much physical and technological security you have in place, your risk of a data breach remains significant as long as one variable stays in the mix: humans. The unfortunate reality is: a business’s greatest cybersecurity threat is its own employees.
But, it’s not their fault. Cybercriminals have elevated phishing to new heights of sophistication, where even the savviest tech user can fall prey. A recent study published by Keepnet Labs found that 1 in 3 employees from the legal/audit/internal control, management, and, yes, even information technology areas are likely to click the links in phishing emails.
What exactly is phishing? Phishing is when a cybercriminal sends a fraudulent email designed to lure the reader into taking a specific action, usually clicking a link or opening an attachment. The email usually employs a sense of urgency, saying something like, “You’re credit card has expired,” or “Payment update required for continued service,” to encourage the victim to click the link or open the attachment. Once clicked, the link/attachment will either download and install malware or take the victim to a fraudulent website (though it looks legitimate), where he or she is prompted to enter login credentials, credit card information, or other valuable data.
Cybercriminals employ a bag of tricks to increase their chance of success:
- They make the email appear to be from a company or person the user knows, usually by mimicking a widely used service such as Netflix or Paypal. They visually make the email appear as legitimate as possible by modeling it after real company emails.
- More sophisticated attacks engage in “spear phishing,” where the criminals research their targets and create an email they know will resonate with the victim, using his or her name and a company he or she knows.
- They “spoof” the email address; that is, they forge the header of the email so that the message appears to have originated from a legitimate source.
- They create fraudulent websites so their lure has a landing page that looks legitimate. Again, it’s modeled after the actual company page as closely as possible.
- They mask the actual URL of the link with a fake “display as” URL.
Cybercriminals will go to great extremes if the potential payoff is big enough. The FBI warns of international criminal organizations that have lawyers, linguists, researchers, social engineers, and others “on staff” to carry out these types of operations.
So what can you do?
One of the most cost-effective measures you can take to immediately improve your cybersecurity posture is to invest in cybersecurity awareness training for your employees. They are your first line of defense, and making sure they are aware of these dangers and know how to deal with them appropriately can save you from a huge headache, possibly even from going out of business due to a data breach (the average cost of data breach for an SMB is $2,235,000). Most cybersecurity firms offer affordable (sometimes even free for SMBs) employee awareness training. Some will even conduct simulated phishing attacks to gauge your employees level of susceptibility, which can be used later to measure training success. It’s a worthwhile investment for your business and the first step to creating a culture of cyber awareness.