There’s one major factor responsible for cybersecurity breaches that not everyone likes to think about: your people.
Human error – most commonly related to phishing attacks – is the weak link exploited by huge numbers of costly cyberattacks on businesses every year.
That’s why getting phishing awareness training for your team is so important. It’s a way of investing in your people, yes. But it’s also a vital investment in your company.
Yet it’s also one that, for all its critical nature, will tend to cost you next-to-nothing.
What is phishing?
Phishing is a type of cyberattack. The most common form is where a cybercriminal sends a fake email that’s designed to trick someone in your organisation into handing over sensitive information or installing some malware on your system.
Phishing attacks use social engineering techniques of varying sophistication. They used to be and can still be pretty easy to spot – if you know what you’re looking for.
Yet these emails are getting increasingly realistic. Some may look just like your own organisation’s internal emails do. Others may appear to be from legitimate, trusted individuals.
Apart from the fact that, like all phishing emails, they include things like:
- Dodgy email attachments
- Links to dodgy websites
How does phishing work?
Most phishing works at scale. A hacker will create a large list of email addresses and shotgun their fraudulent email to them all. It’s a numbers game, where someone somewhere is likely to get hooked.
But there are specific sub-types of phishing. The most effective is called spear phishing, and more closely targets key individuals or organisations with things like cleverly spoofed branding.
There’s also whaling, where CEOs or other “big fish” are targeted. (Seriously, whoever comes up with some of these names deserves a prize.)
But they all share the same basic strategy. They’re designed to trick someone on your team into allowing some sort of access to your system.
Why is phishing awareness training necessary?
Once they’ve got access to your system, that cybercriminal is going to leverage their access. They can do so in a bunch of innovative ways:
1) Business Email Compromise
This essentially boils down to a cybercriminal managing to impersonate someone like a supplier or executive-level employee. They then fraudulently secure or demand a transfer of funds, apparently legitimately.
In the US, the FBI received notification of around 20 000 of these threats in 2020. The businesses involved reported total losses of around £1.3 billion. The unreported losses are thought to be much higher.
BEC is the most costly – and, for the attacker, most effective – type of cybercrime currently in use.
2) Credential Compromise (login theft)
This follows a phishing email that successfully tricks a member of your team into entering their account name, number, or password into a fraudulent website.
These attacks are probably one of the simplest to carry out. All you really need is a massive list of email addresses and a little technical ability. That’s probably why they’re becoming more and more prevalent as a percentage of total cyberattacks.
For all their simplicity though, they work a worrying amount of the time. A recent study in the US showed that the average company ended up paying out around £500 000 and taking an average of 279 days to track down and contain each credential compromise they suffered.
It’s worth it though. Just imagine what someone could do with, for example, your finance manager’s account details.
3) Malware and ransomware attacks
Malware is a catch-all term for malicious software. It’s collectively responsible for some of the most expensive cybersecurity breaches of the past few years. But what does malware actually do?
The best example is ransomware. This is a type of malware that basically locks you out of your own system until you pay the cybercriminal responsible the “ransom” money they’ve requested.
Picture how enraging that would be. Yet for thousands of businesses every year, they don’t need to picture – it’s happened to them. Ransomware attacks have been soaring in number in the past couple of years, partly driven by conditions surrounding the COVID-19 pandemic.
That’s a big problem for businesses with untrained employees. Because the amount scammers are demanding in ransom is going up alongside the overall numbers of successful attacks. The average ransom has now reached around £125 000.
Average additional recovery costs (scouring your system of any trace of the breach, reputation recovery and so on) now rest comfortably above the £1 million mark.
4) Guttered professional reputation, productivity, and more
That’s not to mention things that are much harder to put a monetary value on.
Things like your company’s reputation. Cybersecurity breaches go down particularly poorly in industries like banking, healthcare, or even recruitment, where you are responsible for your clients’ sensitive personal data.
There’s also your team’s zero productivity. It’s hard to get any work done when they can’t access your system at all.
What is phishing awareness training?
It’s sad to say that the weakest link in your business’s cybersecurity is probably your well-meaning – but, when it comes down to it, far more gullible than a computer – human team.
All it really takes is one hard-working, slightly distracted person to click on a random link in an email. Then all of those theoretical costs and hypothetical disasters start being your reality.
Luckily, phishing awareness training (PAT) is very low cost and usually included in managed services. It teaches your team how phishing works, the general tactics that are involved, and what to do when they’ve been targeted.
It’s just what you need to ensure the people factor will not undo all of the good work you’ve done on your business’s cybersecurity.
Not set up phishing awareness training for your organisation yet?
Let’s talk. Nearly 1000 businesses in and around Bristol already trust Dial A Geek to manage their cybersecurity.
Set up a cost and commitment-free meeting with Chief Geek Gildas Jones today to arrange PAT or talk more generally about Managed Services as a 100% cybersecurity solution (including people training).ALL ARTICLES