How cyber aware are your employees?
Cybersecurity incidents like phishing, stolen credentials, and malware caused 44% of all data breaches reported under the Notifiable Data Breaches Scheme in the second half of 2023 (OAIC). For many incidents, the root cause is down to social engineering. That means that one or more of your employees has unknowingly taken a compromising action, guided by a threat actor.
Did you know: 30% of all data breaches were due to human error. Security controls like those outlined in the ACSC’s Essential Eight can help stop these types of errors.
Up-to-date, regular cybersecurity training and ongoing awareness campaigns help drive down the risk factor for employee compromise. Your top cybersecurity priority for 2024? It should be setting up your business and employees for success with cybersecurity awareness.
Let’s step through a common play by cyber attackers
An email lands in Mark’s inbox. Mark is in charge of procurement while Kirsty is on maternity leave. It’s three days until the end of the financial year and he’s received a lot of requests for last-minute purchases from all over the business. This email is from the head of marketing.
“Hey Mark,
I’m sure you’re under the pump at the minute but we have leftover budget for the year and want to grab this digital asset management system. I’ve attached the invoice to be paid, we’re keen to get it up and running ASAP.
Thanks a mil!
Lara”
Mark pays the invoice, notes it against marketing, and moves along to the next request. What he fails to notice is that the email has come from a slightly different address from Lara’s usual one.
Instead, he’s just paid company funds into a fraudster’s account. Adding insult to injury, the attached document contained a malicious payload. That payload is now working its way through company systems, to encrypt company data at the flick of a switch and then demand a ransom to decrypt it.
The perp was able to find all the information they needed to carry out their attack in under five minutes – thanks to a quick browse on LinkedIn. They know EOFY is busy in procurement and take advantage of that pressure, and that Mark’s in a new role. In fact, they’ve sent out the exact same play across hundreds of similar Aussie businesses at the same time.
Security is everyone’s responsibility
Controls like file scanning, two-person approvals for large payments, and bouncing emails from domains similar to the internal company domain are ways to help stop these attacks from a technical perspective. Australia’s Protective Security Policy Framework can also help guide businesses.
But technical and process-based controls alone aren’t enough to stop all cyber attacks.
Employees need to stay alert and aware – and not be fooled. The only way you can ensure employees are on the lookout is by empowering them with cybersecurity knowledge, via training and awareness programs.
How to increase cybersecurity awareness
Here are some ways to keep cybersecurity ticking in employees’ brains:
- Include cybersecurity messaging on your intranet, in company newsletters, at all-hands meetings, and peppered into other internal communications.
- Ensure comprehensive onboarding cybersecurity training, including when employees step into new temporary or permanent roles.
- Curate specific training types for different roles and groups, based on their duties and access to information.
- Run quarterly, up-to-date refresher training company-wide, accounting for different learning styles (e.g. workshops, written, video).
- Find and empower security champions within your business.
Need a hand?
If you need a hand in creating or running the right training for employees, creating a bank of internal cyber messaging blasts, or automating your cyber awareness program, just give us a shout. We can help set your whole team up for success to deflect the bad guys from all angles.