It’s time to get serious about end user security. According to Symantec’s 2016 Internet Security Threat Report, spear-phishing campaigns targeting employees increased 55 percent in 2015. Of those attacks, 43% were aimed at companies with less than 250 employees. Ransomware increased by 35% and expanded to target any network-connected device, including smartphones and tablets. Cross-over attacks are also on the rise. What does all this mean? If you’re not training your team to identify and avoid these attacks, it’s no longer a matter of if you’ll get hit, it’s merely a matter of when.
End User Security
An end user is basically anyone who uses a computer. This includes a desktop, laptop, tablet, or smartphone. If they have access to run any apps on any level, they are an end user. So, from a broad perspective, end user security would be the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. In other words, the behaviors necessary to keep the device itself and all the information it can access safe.
Any good security plan will involve layers. Just like links in a chain, each of these layers play an important role individually, but also work together to strengthen the overall protection of the organization. Most companies do a pretty good job with this. Firewalls, VPN encryption, patch updates, antivirus and antimalware software are all commonly used by companies who take protecting their data seriously. Unfortunately, this isn’t enough. Many of today’s greatest threats to corporate security bypass technology solutions and go straight to the weakest link in the security chain: the end user.
Social Engineering is an attack vector that exploits the one weakness found in each and every organization: human psychology. Using a variety of media including email, phone calls and social media, these attacks trick people into breaking normal security procedures by invoking fear, urgency, or similar emotions. There are many types of social engineering; perhaps you’re familiar with some of them.
Phishing – the activity of defrauding an online account holder of information such as login credentials or account information by posing as a legitimate entity. Typically these emails will encourage the recipient to click a link within the email, perhaps to “track a package” or “view the invoice.” Most people know not to click links such as this these days, but how about hitting an “unsubscribe” link at the bottom of a newsletter or sale announcement? Always update your preferences from within your account settings.
Spear Phishing – an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC. Hackers are incredibly innovative. Just like the telemarketers can manipulate the caller ID display, a good hacker can make any email look as if it’s coming from your boss!
Smishing – SMS is the acronym for Short Message Service, but we more commonly refer to it as texting. Smishing is a security attack in which the user is tricked into downloading a malicious software to his mobile device. SMiShing is short for “SMS phishing.”
Vishing – Remember when we used to call Microsoft Office a program on our computer? Now we call it an app. Same thing here. What used to be called a phone scam is now being referred to as vishing (voice phishing). It is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be a legitimate business, and fools the victim into thinking he or she will profit.
The list goes on and on. Pharming; directing Internet visitors to bogus sites that look just like the legitimate ones. Whaling; targeting a senior executive. Sometimes the scams are so complex they combine multiple forms of media. One highly successful social engineering scheme circulating last year involved an email masquerading as a notice from the bank. Bad news, your account was compromised. Luckily, they’ve locked things down for you, but please call the designated security resolution line right away to confirm recent activity and/or reset your password. Unfortunately, even though the helpful operator on the other end identified herself with your bank’s name, she doesn’t work there – she’s just another player in this elaborate scheme.
Creating a Human Firewall
The only defense against social engineering is a well trained staff. Are you talking to your team about their role in your organization’s security? It’s a good start, but simply bringing their attention to the fact that these types of scams are happening might not be enough. Do you have a clear Acceptable Use Policy(AUP), and are the consequences of non-compliance outlined and (more importantly) enforced? How about training? The best training happens when you make things real. Have you given them live demonstrations and tested their ability to recognize and avoid cyber attacks? In a world where one accidental click now has the potential to put the entire company at risk, we just can’t say it enough: It’s time to get serious about end user security.
Ready to Get Serious?
If you’re struggling with where to start the conversation with your team, need help developing an Acceptable Use Policy, or just want to set up some mock-phishing attacks to test your team, let us know. We’ve got some great training resources available. Call us at 616.776.0400.