Don’t put your blame on them (Train them)
4 months ago, Norweigian aluminum manufacturer Norsk Hydro, fell victim to a ransomware attack that left their entire computer network paralyzed. The cost to bear. 50 Million US Dollars.
IBM states that 60% of all cyber attacks are a direct result of insider attacks – caused by employees within an organization with malicious intent. While you might be right in assuming that this will not be the case in your company, with only a few people having access to your systems, your employees can still be responsible for potential cyber attacks, unwillingly and unknowingly.
In a world where almost every aspect of life is dependent on computers and technology, everything and everyone, is a sitting duck for hackers. Employees of an organization, no matter the designation or level of access, could be tricked into making mistakes or give away sensitive information. Simply put, any employee with access to a mobile device or computer are vulnerable. The question left on everyone’s mind is how do the hackers exploit your employees? It all revolves around “Social Engineering”. A term used to describe a broad range of malicious activities, that are accomplished through psychological manipulation. Countless ways of tricking users into making mistakes, a few of which, tend to stand out more than others.
“CONGRATULATIONS!! YOU HAVE WON A BRAND NEW IPHONE X!! CLICK HERE TO CLAIM YOUR PRICE!!”
Albeit this maybe one of the more obvious attacks, you still find people falling for it, or even clicking it out curiosity, “humouring” the obvious bait. And you feel superior, just for a second. Unaware that all they needed was you to click on it.
They call it baiting in the cyber security world and as the name suggests, relies on the user clicking a link, or document that appears to be attractive and true to its name, aren’t what they appear to be. Hidden inside the links and documents are malicious content that can be harmful to your computer and your personal information.
In other attempts to – for a lack of better words – hack, hackers utilize yet another reference to the sport of capturing aquatic life, Ph(f)ishing. Similar to the previous, using emails, phishing creates a sense of emergency, curiosity and fear to get victims to open emails, usually pretending to be an online service, informing users of a policy violation or a password change, compelling them to reveal sensitive information, usually allowing the culprit to have access to accounts owned by the victim.
Moving onto a form of hacking that deals with the victim on a personal basis, Pretexting takes the cake. Pretending to a high profile employee in your company, bank or police, the attacker establishes a sense of trust with their victim asking questions that invoke sensitive information. Information which you wouldn’t think twice in giving to the person they are pretending to be.
There are of course more ways in which these attacks can occur, but all have a similar motive, to gain access to sensitive information, be it an employee given away information unknowingly, or letting the hackers gain access into the system unknowingly.
This all of course leads to the outcome described at the beginning of this blog. Ransomware. Attackers holding your companies important files hostage, crippling its ability to conduct its day to day operations. Similar to Norsk Hydro, your company too would be asked to pay a large amount to get things running again. You could ignore their demands and try to run an old-fashioned, paper run company, however it should be mentioned that the 50 Million Dollars that Norsk Hydro spent were not the ransomware demands, but the cost of running the company in a computer free world.
The hackers just keep getting cleverer, coming up with new ways to trick people. It is crucial for employees to be aware of what threats are out there, and how they can avoid them. After all, your employees don’t have to have ill intent to be a threat to your company, they just have to be human.