“The most dangerous enemy in the world is the one you do not recognize.” Tess Gerritsen
Last week, a client of ours failed a test. They not only opened the email… they entered their log-in credentials. They were THAT employee. And they were an executive.
Luckily, the email was part of the ongoing cybersecurity training MiTech Services provides to clients, so no actual damage was done. The email was nearly perfect and passed the following litmus tests:
- Email was sent during regular business hours
- Email was from an organization the client recognized (specifically, the HR application they utilize)
- Email contained no spelling or grammar errors
- Email included the logos/images associated with aforementioned HR application
So, what did they fail to recognize? While the email address included the name of the HR application, the email address was not consistent with previous communication from the company and ended with @service-noreply.info. The failed test could have resulted in a massive data breach of a company operating within a tightly regulated industry.
We hear a lot about data breaches in the news, our places of employment, and even in our kids’ schools; but what exactly is a “data breach?” A data breach refers to the unauthorized access, acquisition, disclosure, or use of sensitive or confidential information. A breach can result from a variety of factors including phishing attacks, malware infections, and social engineering. When a data breach occurs, it often results in the exposure of personal, financial, or other sensitive data, which can lead to various consequences, such as identity theft, financial losses, reputational damage, and legal repercussions. There are additional consequences that are harder to quantify, but no less significant, such as the mental and emotional trauma of having personal data shared publicly.
To understand the significance of data breaches and why individuals, businesses and publicly funded entities must actively prevent cyber-attacks, one must first recognize the various ways cybercriminals gain access to data.
Phishing Attacks: Phishing is a type of cyber-attack where attackers impersonate legitimate entities to deceive individuals into revealing sensitive information such as login credentials, credit card numbers, or personal identification details. Phishing attacks often occur through fraudulent emails, text messages, or phone calls that appear to be from trusted sources, tricking users into clicking malicious links or downloading malicious attachments. Everyone receives phishing emails on a regular basis. These emails often declare the recipient to be the winner of a gift card or state that log-in information for a specific account needs to be updated.
Phishing attacks are the primary reason why a company’s employees are the greatest threat to their IT environment. There is an employee (or more likely multiple employees) who will not only open the email but will download the attachment or enter secure log-in credentials.
Malware Infections: Malware, short for malicious software, refers to a variety of harmful software programs designed to disrupt, damage, or gain unauthorized access to computer systems. Malware can be spread through infected email attachments, compromised websites, or removable storage devices. Once installed on a system, malware can steal sensitive data, encrypt files for ransom, or provide remote access to attackers.
Insider Threats: Insider threats occur when individuals within an organization misuse their access privileges to compromise sensitive data. This can include employees, contractors, or partners who intentionally or unintentionally disclose confidential information, misuse company resources, or engage in unauthorized activities. Insider threats can result from negligence, disgruntlement, or malicious intent.
You can think of this cyberthreat as the “open to everyone threat.” Many companies provide the same level of digital access to every employee which can lead to unintentional consequences such as essential files being accidentally deleted or compliance requirements, such as patient confidentiality under HIPPA, being violated. The “intentional violations” are more obvious such as employees stealing proprietary company and/or client information.
Physical Theft: Physical theft involves the unauthorized removal of physical devices or documents containing sensitive information. This can include theft of laptops, smartphones, USB drives, or paper files from offices, vehicles, or other locations. Physical theft poses a significant risk to data security, as it can result in the exposure of sensitive data to unauthorized individuals.
Most companies read this and think, “What business wouldn’t notice a missing laptop?” These same companies have NO asset management plan in place. If you are reading this and your business does not maintain and continuously update a detailed list of all devices, YOU ARE THAT BUSINESS.
Social Engineering Attacks: Social engineering attacks manipulate individuals into divulging sensitive information or performing actions that compromise security. These attacks often exploit human psychology and trust to deceive victims. Examples include pretexting (creating a fabricated scenario to extract information), baiting (enticing victims with a promise of reward), and tailgating (gaining unauthorized access by following an authorized individual).
Protecting your business from cyberthreats is essential but many companies ignore the possibility of a breach and choose not to pay for advanced cybersecurity and employee training because “it will never happen to them.”
UP NEXT: Cyberattacks and Pickleball: A Study of Rapid Increase
Sources:
https://www.ibm.com/topics/data-breach