Employee Cybersecurity Training within a Business is a proactive strategy to reduce risk of a cyber-attack. Staff need to be able to detect potentially suspicious email messages and know the steps to take when they recognise a suspicious message.
Email is one of the most popular mediums for criminals to target unwary business with scams, phishing and malicious software (malware). Between April and June of 2018 ACORN (Australian Cybercrime Online Reporting Network) reported that email remains one of the top three targets for cyber criminals.
Understanding how it works?
Several different threats utilise email for their success this includes phishing and malware. These threats work as follows:
- An employee receives a message that contains an appeal or threat and tries to convince the recipient to do something like clicking a link.
- The employee assesses the characteristics of the message and decides it is a legitimate email and then undertakes the requested action.
- The employee performs the required action – which might be clicking a malicious link, opening a malicious file or even sending sensitive information such as Credit card details. The impact is that the sender of the message has an illegitimate gain as the sender and the receiver has a negative consequence because of undertaking the action requested.
With social engineering it is becoming harder to spot malicious emails, which only increases the importance of having regular discussions with staff about how to detect suspicious emails and sharing their knowledge of scams that they have become aware of.
Social engineering is a way of manipulating people using misinformation, which means that the natural defences against deception are lowered. Criminals are investing in time, effort and money to research targets to learn names, titles, responsibilities and any other personal information they can find. Applications such as Facebook Linkedin are extensively used to locate this information. This raises the topic of Identity theft online.
Discuss simple things with employees like the information they might be sharing and how that can be used to make an email seem real and accurate. For example, a senior executive indicates he is travelling and as result the scammer sends an email from the senior executive asking for an urgent payment. Employees in financial and administrative positions can be targeted re changing banking details, transferring funds or a request for sensitive financial information.
Spam and Reducing It
Spam is the receipt of electronic messages that you have not asked for that are sent to an email account.
Some steps that can be employed to reduce email are:
- Don’t share your email address.
- Use multiple email addresses for a different range of actions E.g. an address specifically for online forms.
- Have separate emails for Business and Personal use.
- Ensure your email system has a spam filter to catch emails before they get to an inbox.
- Have a whitelisting/blacklisting policy for email addresses.
- Ensure that your Anti -Virus solution does not allow people to download files without a release policy.
- Do not open any emails contained in the spam folder.
- Clean and empty the spam folder regularly.
- Do not subscribe for regular email when signing up for an online account or service.
Detection what to look for?
Detection is not easy as scammers are very cunning and careful today. Despite this there are some simple steps to follow to minimise the risk.
Simple rules are:
- Do not open messages if you do not recognise or know the sender.
- Emails that are not addressed to you directly or use your correct name.
- Check the address it is from don’t look at the name look at the actual email address.
- Don’t forward emails that you are not certain about.
- Ask somebody what they think if you are uncertain on any links or attachments.
- With a link hover over it to see the web address if in doubt don’t click it.
- Ensure your anti-virus software is updated and has the latest virus definitions.
Two Step Verification for Email Accounts
Two step verification is a common process in today’s environment. Effectively the two step verification process makes it very difficult for someone else to sign in to your email account.
Put simply two step verification/authentication is a process where the use must provide more than one type of proof that they are authorised before they can access an account. This is common across many web service providers such as Google, Microsoft and Gmail.
Cybersecuirty training on email is often overlooked but it is one that should be discussed constantly with employees. Involve everyone, ask your local Computer Troubleshooter about how they can help you educate your employees.
The take away is be proactive in minimising the risk and reducing the impact of a cyber incident to your business. Call 02 8385 6762 to discuss your needs