Our Views:
Cyber Security Awareness – Practical Tips to Protect Your Systems
Introduction
So far during the second quarter of 2022, we have seen an alarming increase in the number of New Zealand organisations falling victim to Email Phishing attacks. These attacks not only attempt to steal your login credentials, but also trick you into running malicious software that will then be used by the attackers to conduct data theft, ransomware and more.
It is therefore more important than ever to ensure that your staff understand the wide variety of cyber security risks your organisation faces. At Incident Response Solutions, we believe cyber security risks are best mitigated by following an evidence-based approach; what are the local incident response firms responding to most often, what does current data breach research tell us, and what cyber security controls should be applied based on those findings?
According to the 15th annual Verizon Data Breach Investigations report, published this month, 82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse. The four key paths leading to a breach of your systems include attackers using stolen credentials, conducting phishing attempts, exploiting software vulnerabilities and running botnets. The report concludes organisations must have a plan to handle these risks.
To improve your organisation security, we recommend conducting a four-pronged cyber security awareness campaign:
Step 1 – Credential Monitoring
Scan your domain name for any instances of compromised credentials across your organisation and demonstrate to staff how their passwords can easily be obtained and reused by attackers. Note that you also have obligations under the new Privacy Act 2020 in relation to data breaches that may result in serious harm. We recommend changing all valid passwords located immediately upon discovery of using this service.
Step 2 – Phishing Simulation
A Phishing simulation is a training tool that organisations can use to send realistic phishing email to employees in order to test their level of awareness of such attacks, as well as advising them on what to do with phishing emails when they receive them. We recommend you run a carefully planned set of simulated phishing attacks to help you find out how vigilant your employees are and how they can be trained further. The effectiveness of these simulations is more effective if you customise the phishing kits so it contains text and formatting from a third party that your staff often communicate with.
Step 3 – Online Cyber Training and Awareness
The Verizon report emphasises the need to increase staffs’ awareness of what tactics attackers are likely to use against organisations, specific to your industry, both as a tool to encourage executives to support much needed security initiatives and as a way to illustrate to employees the importance of security. The report suggests that on average, staff at organisations that run online training spend around one hour per year.
We believe that every dollar spent on security awareness training significantly reduces your organisation’s vulnerability to cyberattacks. Doing this not only helps you save thousands of dollars in the event of a breach but could prove to be priceless when avoiding long-term costs such as lost customer trust and damage to your reputation.
Step 4 – Cyber Security Controls
The above three steps form the foundation for improved cyber security awareness. However, we recommend going one step further and formalising your cyber security awareness programme under a recognised set of Cyber Security Controls. We recommend the Centre for Internet Security (CIS) Controls. The 18 controls define basic cyber hygiene and represents a minimum standard of information security for all enterprises. At implementation group level 1 (out of 3), enterprises with limited cybersecurity expertise can thwart general, non-targeted attacks. Control 14 deals with Security Awareness and Skills Training, including the following safeguards:
- 14.1 Establish and Maintain a Security Awareness Program
- 14.2 Train Workforce Members to Recognize Social Engineering Attacks
- 14.3 Train Workforce Members on Authentication Best Practices
- 14.4 Train Workforce on Data Handling Best Practices
- 14.5 Train Workforce Members on Causes of Unintentional Data Exposure
- 14.6 Train Workforce Members on Recognizing and Reporting Security Incidents
- 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
- 14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
It is noteworthy that at implementation group level 1, there are 56 possible safeguards (or sub-controls) across the 18 controls, and that 8 of the 56 are attributed to Security Awareness and Skills Training. We can assist you with all four steps detailed above.
Click here if you wish to subscribe to our Premium Edition of the Bulletin.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 