How To Create A Human Firewall

You might recall my story at the end of 2018 of the company that was hit with ransomware. My biggest takeaway from the incident was that several people in the organization were unaware of ransomware and even less were familiar with the phishing attacks used to introduce the malware to their systems.

 Did you know that 91% of successful data breaches started with a phishing attack? There are two types of phishing attacks, generic and targeted.

A generic phishing attack example is an email from UPS or FedEx stating that there is a problem with your delivery. It usually contains a link or attachment that when clicked launches the attack on your system. It doesn’t take a lot of skill to execute a massive phishing campaign. Most phishing attempts are after things like credit card data, usernames and passwords, etc. and are usually a one-and-done attack.

Spear phishing is targeted towards a specific individual, organization or business. Cybercriminals will go to great lengths to study an organization and make the email as convincing as possible. These emails can contain detailed information about people in the organization, logos, and recent company information to make their attack seem as legitimate as possible. Traditional security often doesn’t stop these attacks because they are so cleverly customized.

It is amazing the high click rate on a test attack. We have performed some test phishing campaign recently and the number of people that clicked on the links was staggering. What’s most important after performing the baseline test, those that clicked the phishing link may worry that they will face repercussions. Communicate with team members why a test was conducted and explain how you scored. The next time you conduct a test, employees will be ready and the number will be drastically reduced.

Did you know that more than 60% of network malware infections are caused by social engineering? How it works: An email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. Because of this, it is very important that everyone remain security aware. We need to defend our organizations against cybercrime, and security is everyone’s job. Our team members are the last line of defense in keeping our data safe.

Some tips for your employees:

  • First and foremost, always ask.  Please.  It is much easier to answer questions all day long than to clean up the mess of an infiltration.
  • Stop, look, and think when opening email.
  • Hover over links! DON’T CLICK, but rather hover your mouse over links, does the URL in the window show you UPS.com or UPS-parcel.com.  If it doesn’t look legit, ask!
  • Beware of “Enable Content” if you didn’t request the document. That is what can launch the infiltration in certain documents.
  • Cybercriminals don’t always use bad grammar. These days attacks look real and use up-to-date graphics and logos.
  • All types of files can carry malware!! (.doc, .pdf) So don’t become complacent.
  • Do not Unsubscribe from emails, rather mark them as Junk or Spam. In time your email will learn what your preferences based on what you flag.
  • Never open .exe, .scr. .bat or any other file format you do not recognize.

Beware of these kinds of email:

  • Asking for a reply to an unusual request
  • Asking you to click a link without specifics. When I send emails requesting the click of a link, I make sure to include specific information so that my family, friends and coworkers all know it is me. If you are unsure, ask!
  • An unusual request for forward a message to others.
  • Be extra cautions of messages that offer value, require immediate action, or warn of negative consequences.

Make sure you team members are familiar with these terms:

  • Spam – Bulk Junk email
  • Phishing – deception via email
  • Spear phishing – targeted deception via email
  • Spoofing – Using the identity of someone else
  • Advanced persistent threats – A prolonged and targeted cyberattack in which an intruder gains access to the network and remains undetected for an extended period.

The point of all of this is that by simply reviewing a few key items with the team members that access your data, your organization will be much better prepared for an attack. This is not a one time event, it should be talked about monthly using videos, brief presentations at the start of larger meetings, newsletters, posters and more. Visit SANS and KnowBe4 for great information that you can share with your team.

If you need help crafting your Security Awareness Program, or you would like to have someone review cybersecurity tips with your team, let us know. We at Advanced Systems Solutions have helped many different types of organizations with their awareness programs. If you’re looking for a support company to ensure you team is secure, with unmatched customer service, please contact us. We love to help!

So, start the discussion at your next meeting. This way, when one of your team members receives a phishing attack, your company won’t be affected because your team is aware of the tactic’s cybercriminals use.  

.

Like our Facebook page by clicking on the icon at the top right of this page to stay up to date with date with current alerts and information!

.

Disclaimer: The above information is not intended as technical advice. Additional facts or future developments may affect subjects contained herein. Seek the advice of an IT Professional before acting or relying on any information in this communiqué