The last part of my trilogy is about the weakest link, our employees. Some of the things you will read in this article, you already know from one of the previous two articles.
When I write that our employees are the weakest link in a security concept we do not have to take this personally. It is a simple and hard fact.
In one of the previous articles, I wrote that mostly small businesses are prime targets for hackers. One of the main reasons for this is, that these companies cannot invest so much in their security and security trainings for employees. These small businesses may have other focuses in their daily business and the IT is just a tool for them. They may have not the budget and/or knowledge to invest in user restriction policies like bigger companies have. That makes it easier for hackers to run an attack against these employees. For example, a missing permission management can make it easier to get key information of the company, which the attackers can sell, delete or encrypt.
There are reports out there, which prove that employees without training become more sensitized about how important it is to be suspiciously about the different attacks like phishing etc. they may even don’t know if they get fished.
That leaves your company’s sensitive data vulnerable to theft and ransomware attacks, which threatens to delete your data if you don’t pay the hackers.
The official report below shows us, why we need to train our employees. With recurrently trainings we can decrease the damage to our infrastructure.
This statistic shows us clear that next to social engineering, phishing attacks are the most common method for hackers to get into your organization. If we have a look on the numbers, we see fast, that 96% of phishing attacks are coming through E-Mail.
If we have a look on the official statistics and my own experience as a Messaging Engineer shows that near to 80% of people do not click a single phishing email all year. However, on average, 4% of employees in any given phishing campaign will click it.
A Hacker needs to fool only one victim to access an organization’s network and data.
As we can see in the statistic below, there are many malicious E-Mails out there:
Another black cloud
If an employee got fished, the company can face another problem as well. Here we don’t talk just about the access an attacker gets to the companies network. We talk about ransomware. Cybersecurity experts reported that most ransomware programs are unleashed after employees fall for phishing or social engineering attacks.
If we count all known attacks where ransomware was unleashed as 100%, we will get the following statistic:
At the moment less than 30% of surveyed businesses were confident that their employees could detect risky links or spoofed websites that could lead to a ransomware attack.
Our employees are the heart of your company’s IT security. Care about them and they will care about the company. Train them with a few simple tips they can improve their perception about your business’s IT security.
- Train employees to recognize phishing E-Mails and have a process to report them.
- Use antivirus software.
- Limit employee access to your company’s data.
- Implement a permission concept (use different accounts for different things)
- User Jumphosts
- Update software applications regularly
- Use where ever possible, multi factor authentication (MFA)
- Implement strong password policies
- Encrypt E-Mails, Mobile Devices, USB Sticks, etc