[BreachExchange] Cyberattacks: Is your business protected?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Apr 19 22:03:01 EDT 2016
http://www.itproportal.com/2016/04/19/cyberattacks-is-your-business-protected/
With social engineering now a bigger threat to businesses than hacking,
spamming or DDOS attacks, how can businesses safeguard themselves from
falling foul of cyberattacks?
With UK firms losing £18 billion in revenue from cyberattacks in 2015
alone, and 90 per cent of major businesses experiencing a security breach
in the past year, digital threats are becoming more and more of a challenge
for companies and their clients.
However, one of the most prevalent threats currently facing the business
community is human naivety in the face of increasingly sophisticated and
elaborate social engineering scams – a series of con technqiues designed to
extract key information from unwitting individuals. It’s no longer about
simply obtaining banking or credit card details but gathering the right
information to enable fraudsters to dupe their targets in a more intricate
and elaborate way.
Inadequate email protection
The most vulnerable area for companies is the loss of information through
either the neglect or inadequate protection of email when collating
customer information, which makes accessing information all the more easy
for fraudsters. If scammers are able to gather this information they can
use it to dupe customers for monetary gain via ‘spear-phishing’ – a process
used by a fraudster which involves imitating emails so recipients believe
they are from someone they know.
One of the more popular examples of such a scam is when companies require a
deposit for a product or service and are conducting the majority of their
business over email. Fraudsters will replicate an email in the guise of the
company to ask the customer for a settlement fee. As far as the customer is
concerned, because the email appears legitimate, and contains information
that is factually correct, they have no reason to question its plausibility
and can be tricked into willingly transferring funds to the fraudster. The
customer is none the wiser until a bonafide sales consultant contacts them
directly requesting payment, at which point it is too late to rectify and
retrieve the money – not a good advertisement for any business.
This isn’t an uncommon scenario and one that can cost businesses dearly in
both financial terms and reputational damage. The consequential fallout
from the loss of customer trust can have a huge impact on a business’
bottom line, so having the right protection in place is paramount.
Employee awareness and education
The weakest link for the majority of businesses tends to be employees who
have received little in the way of training to spot the potential pitfalls
of online scams, or are simply unaware of the techniques used by social
engineering fraudsters.
Both companies and their customers need to be educated about the issues
which arise from human naivety. Employees most at risk because of the
nature of their job, such as staff able to authorise payments or cash
transaction, should be operating a two layer authentication process to help
eliminate breaches – a username and password and the additional backup of a
randomly generated personal identification number (PIN) for every new
transaction they process.
Furthermore, employees should not be able to access applications using a
‘group’ password as this leaves businesses wide open to any cracks they may
have in their security protection policies.
Password policies need to be rigorous and passwords should be updated
frequently using a variation of letters, numbers, and characters to ensure
they aren’t weak. Default passwords, or using the same passwords for
numerous applications, should be avoided.
Adequate email protection
Using employee data from easy to obtain information sources such as
LinkedIn can make it incredibly easy for fraudsters to gain access to
company emails. This is particularly the case in large groups, where
employees aren’t immediately recognisable to management and scammers can
impersonate a member of staff ‘working from home’ in order to extract
sensitive information, such as passwords, over the telephone. Alternatively
they aim to dupe lower tier staff using company hierarchies by sending
emails requesting data whilst posing as senior management.
Businesses can reduce their exposure to such risks by ensuring end users
are only able to access the data they need and immediately removing access
to systems the moment someone in the business leaves.
Sharing experiences
Businesses would benefit greatly from an online community where they can
share their experiences of cyberattacks and security breaches and get peer
to peer advice to learn, benefit, and reduce the likelihood of an attack.
There is no doubt that numerous organisations have fallen victim to
cyberattacks, security breaches, and scams, but unfortunately the subject
still remains much of a taboo among business communities that don’t wish to
admit to falling foul of a security breach.
Upcoming threats
Fraudsters are becoming more and more adept at formulating intricate and
complex ways to infiltrate and breach data. Although security software will
help ward off potential threats, fraudsters will always aim to be one step
ahead so individuals need to keep their wits about them to avoid any
unpleasant surprises.
For instance, ransomware, a form of malware, which typically propogates
itself as a trojan, systematically encrypting files on a system’s hard
drive, rendering it impossible for users to access or unlock devices
without paying a ransom. It’s predicted to be a major upcoming threat to
businesses, as well as the wider economy, with the potential to cause
unprecedented disruption.
A robust security policy needs to not only include the traditional
protection of systems, such as anti-virus and firewall software, but also
ironclad processes should be adopted and communicated effectively to staff
to prevent information from being leaked and to reduce the likelihood of
customers becoming victims of duping scams.
Companies who aren’t fully prepared for the extremity of cyberattacks are
extremely vulnerable to suffering a security breach and should seek
professional advice to ensure that their data and systems are properly
safeguarded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160419/0918d6d1/attachment-0001.html>
More information about the BreachExchange
mailing list