While the growing risk of cyber threats is relatively well known, many organisations still appear to believe it won’t happen to them. Although concerned about the amount of data held online, people are continuing to trust social networking sites, such as Facebook and LinkedIn, with large amounts of personal and sensitive information posted online.
However, what many fail to realise is that as attacks become increasingly targeted, this information is becoming crucial to cybercriminals’ success. Indeed, a recent survey revealed that while over 70 percent of people are worried about the amount of personal information online, a third stated they would still send a password, bank details or mother’s maiden name to an unknown person online – a scary thought when considering how easily this information can be abused.
This discrepancy increasingly suggests a worrying lack of awareness when it comes to modern day cybercrime. A good example is the widespread lack of action to combat the rapid rise of social engineering and spear phishing.
Cybercriminals are increasingly relying on psychological techniques by sending tailored emails to specific individuals within organisations, persuading them to unwittingly download malware-laced attachments or click on infected links. Designed to appear highly credible, spear phishing attacks are extremely easy to fall for and, as a result, employees themselves have become one of the biggest security risks to organisations.
What makes these attacks even easier to plan and execute is the wide availability of personal information employees place online. Even the smallest bits of information, such as birthdays, job descriptions or hobbies is enough for cybercriminals to form a convincing email that appears to come from someone they trust. All the employee has to do is open that email, click on a link or download a malicious attachment for the entire corporate network to be vulnerable to attack.
Social media misunderstanding
A growing concern is that users seem to be placing greater trust in certain social networking sites. This once again comes down to the fact that individuals and organisations are unaware that it is the information itself which poses such a security threat. While issues surrounding Facebook’s security have been widely covered in the media, LinkedIn’s security settings are often overlooked, which has led users to fall into the trap of believing that the risk is lower.
Indeed, while 46 percent of Facebook users have customised their privacy settings, just 20 percent of those on LinkedIn have controlled who can view the information on their profiles. The fact is that it is irrelevant where the information is posted, if it is available for anyone to view, cybercriminals will be able to access and use it. As a result, individuals are effectively facilitating the growth of these security attacks themselves.
Learning and layers
With so much at stake, the only way for organisations to avoid an attack is to take immediate action. As well as a strong security strategy, it is becoming increasingly vital that organisations ensure that their employees understand the cybercriminals’ thought processes.
Once they are able to recognise the signs, and understand what to look out for, organisations are already well protected from these threats. Increasing security settings or limiting what information is put online may seem inconsequential, but with even the most seemingly insignificant pieces of intelligence being of use, it certainly helps.
At the same time, although users can learn to be more vigilant, the fact is that it only takes one person to unknowingly download a virus for an entire organisation to be at risk. With more advanced, targeted cyber attacks and new malicious code constantly being created, it is clear that education is not a sole solution. Organisations need to combine this with a bulletproof endpoint security strategy.
While many organisations believe that they are sufficiently protected with a good anti-virus programme, these are actually largely ineffective when dealing with threats that rely on human behaviour. With such high financial and reputational repercussions of failed security, the most effective way to protect the corporate network is to adopt a layered approach.
In addition to anti-virus software, application control and system restore methods are becoming increasingly justified. Enabling administrators to choose which executables are allowed to run and reboot their computer in order to delete malicious malware provides greater reassurance that the network will not be infiltrated.
The growing trend of sharing personal information so publicly has made it the most appropriate time for organisations to reassess their current security practices. The importance of raising awareness should not be underestimated and plays a significant part in minimising the risk of falling victim to an attack. However, on the occasion that this fails, only a layered security strategy that combines traditional blacklist tools with application control technology and robust reboot-to-restore methods will provide the ultimate guarantee against today’s threats.