Often it is only one bad decision that leads to a cyber-security attack. While training standards have improved in recent years and increased cyber-security literacy, phishing remains a primary risk factor for initial intrusions.
A business which conducts comprehensive phishing training faces a counter-intuitive risk: If a person who has received training recognises that they have fallen for a fraudulent e-mail they may be too embarrassed or afraid of disciplinary action to bring it to the attention of the security team. This prevents them from taking counter-measures which could limit any potential damage.
Alongside training programs and robust security monitoring tools, it has become essential that staff and contractors can speak up comfortably when they have found a security issue, or when they have fallen victim to an exploit.
Humans are the weakest link in the security chain
For many businesses, the weakest link in their security is not their technology, but their people.
There are many times in the operations of a business where human behaviour plays a fundamental role in its security performance. Recognising phishing e-mails, following security protocol, performing code reviews are some examples of critical moments where security incident take place.
An example: how phishing exploits work
Phishing is a type of social engineering attack in which an attacker attempts to trick a user into giving them sensitive information, such as login credentials or financial data.
The attacker will usually send an email that appears to be from a trusted source, such as a company or service provider, and contains a fraudulent attachment or a link that takes the user to a fake website. Once on the fake website, the user is asked to enter their login credentials or other sensitive information.
If the user falls for the scam and enters their information, it will be sent to the attacker who can then use it to gain access to the victim’s account.
How can businesses limit their exposure to human error?
Ensuring staff feel comfortable speaking up is one of the most important ways you can ensure that you hear about cyber-security incidents before they develop.
The benefit of internal reporting platforms which enable anonymous and secure communication are two-fold with respect to a company’s security posture. They signal to your staff that you value their input and concerns, and they shield them from any fallout that might prevent them from sharing sensitive information.