October is CyberSecurity Awareness Month!
This doesn’t mean companies should focus on cybersecurity and cyber threats for 1 month and then forget about it for the next 11 months. Cybersecurity is a full time commitment and a full time threat!
It is important to provide employees with useful advice on how to stay safe online.
If an employee clicks through a convincing phishing link which claims they need to enter their password to view content, or if someone downloads what they believe is a legitimate attachment, but it contains a trojan malware backdoor, they could cause big problems for the organisation.
Pointing the finger, blaming and causing fear around the topic isn’t a positive way to approach cybersecurity. You don’t want employees accidently clicking a spam link and then not having the confidence to inform management, due to fear of punishment or shaming. By which stage, the attackers will be inside your company systems and already causing damage. You want employees to feel they can come straight to management and inform them of suspicious links or other exploits.
But what should employees be looking out for?
- Business Email Compromise (BEC)
Basically, BEC involves a scammer finding out who the boss is within a company and setting up a fake email address under the boss’s name. They then send an email to an employee saying they need a financial transaction to be carried out quickly and quietly.
BEC rarely needs any high skill. All someone needs is a laptop, internet connection and patience - it's all to do with manipulating people, rather than machines.
According to the FBI, the combined total lost to BEC attacks is $43 billion and counting, with attacks reported in at least 177 countries.
- Deepfakes – The Next Big Cyber Threat
A deepfake is an AI-generated false video that looks like a real human speaking. A deepfake video uses artificial intelligence and deep-learning techniques to produce fake images of people or events.
By using AI-powered deep-learning techniques, cyber criminals exploit public information to create a deepfake of a senior-level executive. They then exploit email vulnerabilities to request a video call with an employee. On the video call, they ask the employee to carry out a task or transaction. If the victim believes they're speaking to their CEO or boss, they're unlikely to deny the request.
Scammers have already used artificial intelligence to convince employees they're speaking to their boss on the phone. Adding the video element makes it even harder to detect that they're actually talking to fraudsters.
How to spot a Deepfake?
It is difficult to spot a Deepfake but watch out for signs which include the video warping, strange head and torso movements, syncing issues between the face and lip movement and any audio misalignment.
- Strong Passwords
It is important to encourage users to avoid using and re-using simple passwords.
Don’t use the same password for every account. If a hacker cracks one password, then they have them all!
With the increase in remote working, it is important employees understand the importance of a strong password and not just using ‘password1234’.
- Multi-Factor Authentication (MFA)
MFA can provide a barrier to cyberattacks. MFA means that even if the hacker has the username and password, they are unable to take control or gain access of a cloud service or email account without the user approving it.
According to Microsoft, using MFA blocks over 99.9% of attempts at hacking into accounts!
Remember, it may be Cybersecurity Awareness Month, but cybersecurity awareness should be a full year, and on-going process!
Palmer, 2022
https://www.zdnet.com/article/raising-cybersecurity-awareness-is-good-for-everyone-but-it-needs-to-be-done-better/
