The cost of inaction far outweighs the cost of prevention.
Cybersecurity threats are evolving rapidly, and traditional training methods often fall short.
A lot of companies still employ traditional methods of Cybersecurity training and awareness with their employees. Commonly used training material such as videos or policy documents are often used when a person starts in their new position.
With ever changing threats and attack methods, as well as the overwhelming amount of information when joining a new company, it's no surprise that this practice fails months or years down the line when a real attack comes in.
We specialise in teaching companies and employees to understand the threats and Identify the most common forms of attack. Relying on only Antivirus tools, firewalls and email filtering systems will not protect you from the most common of attacks. Threat actors choose other attack types because they are far easier to compromise than these.
A person is much easier to compromise than security technology that is actively worked on unless you actively work on improving the person's security.
It's not a worry until it's too late...
Half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. Despite this being a high figure, this does not include unreported incidents.
31% of businesses and 26% of charities have undertaken cyber security risk assessments in the last year - rising to 63% of medium businesses and 72% of large businesses.
By far the most common type of breach or attack is phishing (84% of businesses and 83% of charities).
Phishing - What is it?
Everyone talks about phishing, this is because it is the prevalent and most efficient method of gaining access to privileged information to then use for further gain (such as changing bank details of your clients and customers to their own), sell (often on the dark web), hinder or even shut down a business under ransom.
Phishing is a type of attack where the 3rd party tries to trick a person into giving privileged personal or business information, like passwords (most commonly your email login details), banking information or to get you to do something by pretending to be someone you know, like a bank, your email provider, a customer or even your business itself.
Phishing: Spot and report scam emails, texts, websites and... - NCSC.GOV.UK
Enhanced employee awareness
Develop a strong security-conscious culture, it's better to question and be sure than to find out when it's too late. While a large number of phishing attacks come from random emails or accounts and get caught or noticed, sometimes they are cleverly designed and people outside of the IT industry (and even inside) will be in a rush, focussed on something or even just eager to please their new employer by getting things done fast.
Assumptions that emails are safe because they come from a known email address. How do you know that they haven't been compromised and the threat actor is using their account to further their net? This is seen on a daily basis and is a very common method because it is very efficient and if done properly will be largely successful.
How can you tell when it's real?
This is where proper training, simulated attacks and real life scenarios come in. Traditionally people have been trained to look for random email addresses and names with dodgy looking links or websites. This is outdated, insufficient and does not work in the current climate of Cybercrime.
Educating questioning suspicious emails, methods of attacks and building non-technical employees understanding of how threat actors operate and how common attacks occur is crucial in order for them to be able to recognise them, regardless of where the attack comes from.
Making sure your digital environment is secure
Additional Information
Making sure your employees are aware and vigilant is very important. However, this is based upon the assumption that your business has the necessary security in the first place.
Do you have email security?
Who are your employees receiving emails from, are you limiting their exposure to malicious actors and implementing systems to warn them that something is suspicious? This won't prevent the need for further training or security but each step in securing your environment and educating users lowers your risk of compromise. https://checkcybersecurity.service.ncsc.gov.uk/email-security-check/r
Is your IT provider keeping to best practices and informing you of changes that need to be made to keep up with evolving threats? Small Business Guide: Cyber Security - NCSC.GOV.UK (for medium to larger businesses) 10 Steps to Cyber Security - NCSC.GOV.UK
Is your MFA (multi/2 factor authentication) set up and is it set up properly with best practices adhered to? Why MFA matters - NCSC.GOV.UK Many companies either don't have MFS set up or have legacy methods that fall short when it comes to protecting the business, this is especially important for those that store company data beyond emails in the cloud using things such as Onedrive and Sharepoint.
Are your DNS records correctly set up? Email security and anti-spoofing - NCSC.GOV.UK A large number of businesses have incomplete or incorrectly configured DNS records, leading to their emails being marked as spam or filtered, rejected and opens them up to being abused or spoofed. DMARC, DKIM and SPF records being set up correctly are essential for any business.
Check if your DNS is correctly set up here (free .Gov check): https://checkcybersecurity.service.ncsc.gov.uk/email-security-check/
