The cybersecurity threat landscape is constantly evolving, and cyberattacks becoming more common with 4 in 10 businesses reporting having cybersecurity breaches or attacks in the past 12 months. 

There are many cybersecurity solutions available to strengthen a business’s security posture, including firewalls, endpoint protection and email security. However, for a business to safeguard themselves from a potential attack they must also invest in the human firewall.

The human firewall is the last line of defence, and it is only effective if employees are given effective cybersecurity training. In this article we will discuss what is cybersecurity training, why it is important and the 6 steps to design effective cybersecurity training.

Explore Phishing and Security Awareness as a Service to learn more about hands free training for your end users >

What is cybersecurity training?

Cybersecurity training helps employees understand the cybersecurity threat landscape, how to identify security risks and the process of reporting potential cyberattacks or poor security practices. Effective cybersecurity training can decrease the chance of a business falling victim to a cyberattack, whilst developing a positive security culture within a business.

Why is it important?

All employees that have access to company data play an important role in safeguarding their business from potential cyberattacks. If an employee does not have sufficient cybersecurity training, they are more likely to make a mistake that could lead to a large-scale data breach or cybersecurity incident.

A data breach will hurt a business through potential fines, as well as a loss of reputation that can be difficult to recover from. Other common cybersecurity incidents, such as ransomware, can cause irreversibly damage a business, especially if they are unable to afford to pay the ransom. With effective cybersecurity training, it is less likely a business will fall victim to such an attack.

How to design effective cybersecurity training

1: Collect data to find weak points

For cybersecurity training to be effective, it is important to focus resources on the weak points within a business. This data may be collected from previous cybersecurity incidents within a business or any ‘near misses’. It is also important to consider the specific threats that your industry faces, and tailor training to address these threats. 

2: Decide the scope of the training

When designing cybersecurity training, businesses must cover enough information to give employees the tools required to identify potential attacks, without going into too much detail and confusing the audience. Some topics that should be covered include phishing attacks, social engineering attacks, password hygiene and how to work securely whilst hybrid working. It may be effective to run different levels of cybersecurity training for different job roles, as different roles have varying levels of access to data and associated risks.

3: Set clear achievable goals

To measure the success of cybersecurity training, set clear achievable goals. This may include a decrease in cybersecurity incidents or ‘near misses’. If you already run phishing simulation tests, the goal may be to improve the results of subsequent tests.

4: Implement engaging training

For training to be effective it should be interesting, engaging and relevant to the business and the employee’s role. This may include using real-world examples of previous attack attempts, or a real-time training simulation where employees must act as if there is an actual cyberattack. Using simulations and real-world examples will make it easier for employees to connect with the training and will highlight any areas of weakness.

5: Evaluate to optimise training

After training is complete, measure the effectiveness to see if you have achieved the goals set in step 3. If the goal was not reached, it is important to understand why, and what can be done in future training sessions to increase effectiveness. 

6: Make learning an ongoing process

Cybersecurity training should not be an annual task, as employees will often forget elements of the training, and new attack methods may arise which employees are not aware of. Instead, make learning an ongoing process with refresher training, or short fun quizzes being run often. Similarly, monitor your KPIs to ensure that employees maintain their focus on cybersecurity. 

Cybersecurity training as a Service

There are several SaaS tools that can help you make cybersecurity training an ongoing process, ensuring that end users are kept up to date. These tools include regular phishing campaigns, on demand training and security awareness content and intelligent reporting that helps you identify weaknesses whether company-wide or at user level.

If you would like to discuss your cybersecurity training requirements, we’d be happy to talk you through the options and help you identify the right approach for your organisation. Get in touch here >

For cybercriminals, often the easiest and most effective way of targeting a business is to use social engineering methods to manipulate users into breaching security policies or giving away sensitive information. For a social engineering attack to work, the most important stage is the cybercriminal’s research of the target organisation and its employees. This research stage is made simple due to the prolific nature of social media. In this article we will discuss how cybercriminals use social media and social engineering to target organisations, and what you can do to avoid a cyberattack.

3 steps to a successful social engineering attack

Step 1: Identify a target organisation

In the past, the prime targets for cyberattacks were large organisations as the payoff from a data breach or ransomware attack would be greater than that of a smaller business. However, now all businesses are at risk of a cyberattack. For a cybercriminal, often targeting smaller businesses is more profitable as they typically have a weaker security posture, whilst still having access to a significant amount of customer data. Once a cybercriminal has decided on a target organisation, they will then begin to research the employees to formulate an attack.

Step 2: Research employees

LinkedIn is the first port of call for researching employees in a target organisation. Through their name they can also find Facebook, Instagram and Twitter accounts. These social networking platforms give details about hobbies, family members and even locations employees frequent, through geo-tagged posts. 

Having this wealth of information makes it easier to deceive the victim and potentially gives answers to password recovery questions, such as ‘What is your mother’s maiden name?’. Similarly, information about hobbies could be used to trigger a phishing attack. For example, if the victim is a keen cyclist, the attacker could send them a link or attachment purporting to be something cycling related. Unless the victim has strong privacy settings on their social media accounts, all this information can be accessed without the victim’s knowledge, as they do not need to be followed or added as a friend.

Step 3: Launch attack

With this information there are many attack vectors that may be effective for a cybercriminal to gain access to a secure business network, or to infect a business with ransomware. One method may be to target the employee’s personal email address with a spear phishing email relating to one of their hobbies or shops they frequent with a malicious link to reset their password on an online account. If the victim resets their password by using their previous password, and that password is the same as their work account, this gives the hacker access to their work account. From here it is simple to launch a ransomware attack or access customer data.

Another method cybercriminals may use is a direct phishing attack to the victim’s work email. Through the prior research a cybercriminal may pose as one of the businesses’ vendors or customers in order to persuade the victim to click a malicious link giving the hacker access to a network or work account. Once they have access to a work account, from the social media research the hacker can easily launch another spear phishing attack from the victim’s email, targeting someone in the organisation with greater access to customer data. 

How social engineering impacts business

Both a ransomware attack and a data breach can be devastating for a business. A data breach has short term consequences of potential fines and fees, along with the potential cost of a forensic investigation. More worryingly, is the long-term consequence of eroding customer trust and a loss of reputation, which can be difficult to recover from.

A ransomware attack may be extremely costly if the ransom is paid out to decrypt the data. Sometimes it is possible to decrypt the data without paying the ransom, however this often leads to significant downtime and the potential to lose data.

How to avoid a cyberattack

There are three key takeaways for businesses trying to avoid an attack. 

1. Employees should be conscious about what information is being shared on social media. This is not to say that individuals should not post on social networking platforms, but they should restrict their privacy settings so only trusted friends and colleagues can view their information and posts. 
2. Businesses should educate employees on how to spot phishing emails and general cybersecurity awareness. This education and awareness may stop a cyberattack before it is too late.
3. Businesses should consider investing in a comprehensive cybersecurity solution that decreases the chance of a ransomware attack or data breach. 

If you want to find out more about how you can keep your business safe, get in contact with us today.

When considering cyber attack methods a cybercriminal may use to gain access to a network or business’s IT system, the most obvious are cracking passwords, hacking computers or exploiting software vulnerabilities. However, one of the most dangerous methods is often not given enough attention. They are social engineering attacks.

What is social engineering?

Social engineering attacks rely on human interaction to manipulate users into breaching security policies or giving away sensitive information. These attacks are often highly effective as it is easier to find vulnerabilities in people than it is to find vulnerabilities in software or networks.

The first stage of many social engineering attacks is for the cybercriminal to perform research on the target employee or business. Through this research they formulate an attack by engaging and deceiving the victim to gain malicious access to a network or system. 

Common social engineering attacks

Phishing

Phishing is the most common social engineering attack, and one of the most common attack vectors in general. A phishing attack is where an attacker sends a fraudulent email disguised to be from a trusted source, with the goal of tricking the victim into clicking a malicious link or downloading a malicious file. 

Some phishing attempts may be sent out in bulk and be easily spotted through poor spelling and punctuation or if it is sent from an unknown email address. However, threat actors may do significant research before crafting a phishing email to tailor it to the victim. This may include making it look like the email is from a vendor or customer, or including information highly relevant to the target in order to gain their trust, making it more likely for them to open a link or download a file. 

Hackers can also spoof the email address to make it seem as though the email is sent from a trusted sender.

To protect your humans, employees, from phishing attacks consider instigating phishing and security awareness programmes to education and train your user community to spot potential attacks. 

Baiting

Baiting is the process of luring a victim into a trap that compromises a company’s network or a user’s personal information. A common baiting attack method is to leave a USB in a business or its car park. The USB may have a label on it with text that will pique the interest of a potential victim, such as ‘private’ or ‘important’. Once the USB is connected to a computer it will run malicious code and the hacker will gain access to the network or IT systems.

Pretexting

Pretexting is a method of social engineering attack whereby the attacker attempts to convince the victim to share valuable information or login credentials to a network or system. The attacker assumes a false identity, often a position of authority, in order to fool the victim. An example of this may be an email impersonating a CEO or business executive asking for login credentials for a system as they have ‘forgotten theirs’. This method of social engineering can be similar to phishing, however the focus in on creating a false narrative to obtain the information.

Watering hole

A watering hole attack is a social engineering method whereby the attacker identifies a website that is frequented by a target user or organisation and compromises the website with malware in order to infect the target. This is also a method of supply chain compromise as it uses the prior research to compromise a third party to breach the actual target.

How to protect against social engineering attacks

As social engineering attacks are focused on human interaction, the best method of preventing them is through education of employees and a strong security culture within an organisation. For phishing, baiting and pretexting, employees should be aware of the risk of an attack and methods that cybercriminals are using as this will make it more likely for an employee to notice and report an attempted attack before it is too late.

It can be difficult for a business to protect themselves against watering hole attacks as it is a third-party website that is infected. However, if a business keeps their software and operating systems up to date it greatly decreases the chance of the malware compromising a system. For phishing and pretext attacks it is also best practice to have protection in place that will flag phishing emails, email spoofing and malicious links before they even arrive in an employee’s inbox. Mimecast uses AI to do this and can run internal phishing tests to ensure employees notice and report phishing attempts, which can further strengthen an organisation’s security culture.If you want to find out more on how to protect your business against social engineering attacks, get in contact with us or explore our cyber security updates here >

Cyber security incidents are becoming more frequent and the consequences more severe. In order to safeguard your business from an attack, first you must understand the tools and methods cyber criminals use to orchestrate these attacks. One of the key concepts to understand is what an attack vector is and what are the most common attack vectors.

What is attack vector?

An attack vector is the way a cyber criminal gains unauthorised access to a network or computer to carry out malicious activities. Once a hacker uses an attack vector to enter a network or computer they can then access confidential information on a business or individuals or infect the system with malicious programmes.

Book a free cyber security health check to get better visibility over your organisation’s vulnerabilities and risk profile >

The cyber security threat landscape is ever changing, so we’ve created a list of the 10 most common attack vectors to watch out for in 2021.

1: Phishing

Phishing is the most common attack vector and has been for many years. Phishing is where a cybercriminal contacts a target by email, telephone or SMS posing as a legitimate individual, or business to deceive the victim into clicking a malicious link or providing sensitive information, such as passwords or payment card information.

In the video below, Gary Duke discusses phishing attacks in more detail:

2: Lack of encryption

Whenever sensitive data is transferred is should be encrypted to ensure that even if it is intercepted it cannot be read without the encryption key. Many businesses still use unencrypted FTP sessions to transfer data, meaning that if a hacker intercepts the data, it is in plain text. It should also be noted that not all encryption is created equally. Low-level encryption is safer than no encryption at all, however, strong SSL/TLS encryption is favoured as it is significantly more difficult to obtain the encryption key.

3: Compromised or weak credentials

Compromised credentials is when a cyber criminal gain access to a network or system by obtaining the user credentials, such as a username and password. These credentials are often obtained through a phishing attack or poor password hygiene. Similarly, having weak credentials, such as a common password, allows cyber criminals easy access to a supposedly secure network.

4: Malicious insiders

When considering potential attack vectors, one that is often ignored is that of malicious insiders. These are individuals who are current or former employees that have legitimate access to company data and use this access to carry out malicious activities. This threat can be difficult to detect as employees need access to networks and data to do their jobs, however there are policies that can be put in place to reduce this risk. 

5: Distributed Denial of Service

Distributed Denial of Service or DDOS is a malicious attack where a cybercriminal overwhelms a target server, service or network with internet traffic to disrupt normal traffic. The goal of these attacks may be to stop legitimate traffic from visiting a site, or to overwhelm network equipment, such as firewalls, in order to launch another cyberattack.

6: Misconfiguration 

Misconfiguration is when a system is not configured correctly. For example, leaving the default username and password when configuring a device or in a setup page. This also includes not updating software when there are security patches and leaving unused features on a device enabled. This is particularly common with networking devices and database setups.

Many data breaches are because of poor configuration of a network, such as putting a CRM or HR server internet facing. Gary Duke explains why this happens in the video below:

7: Malware

Malware is one of the oldest forms of attack vector, first originating in the 1980s. Malware is any software that is intentionally designed to cause damage to a computer, server, or network. This includes viruses, ransomware and trojan horses. Malware is often distributed through malicious emails, websites and advertising.

8: Malvertising

Malvertising is a relatively new method of spreading malware, including ransomware. This attack vector is where a cyber criminal pays for legitimate advertising space on search engines and social networking platforms, but the website that is being advertising contains malware that when downloaded will infect the victim’s computer or network.

9: Brute force

A brute force attack is when a cyber criminal finds the correct login credentials to a secure device, account or network by submitting many passwords until they find the correct one. A hacker uses a programme to do this which can submit 1000s of login attempts per second. This attack vector is easy to negate with long, complex passwords that utilise numbers and special characters. 

10: Man-in-the-middle

A man-in-the-middle attack may include intercepting messages and emails between individuals that include sensitive data, or intercepting login credentials between a user and an IT system. There are many different methods that can be used to carry out a man-in-the-middle attack, however most of these can be avoided with firewalls, encryption, multi-factor authentication and a strong security culture within an organisation. 

These are the ten most common attack vectors. Some basic knowledge of each can help you identify attack attempts before they become a cyber security incident. However, for each of these 10 attack vectors there are multiple methods of execution, and each year they become more advanced. It can be difficult to stay up to date with each new method and best practice for avoiding an attack, so if you need help deploying a comprehensive cyber security solution to keep your organisation and data safe, let our cyber security services team know! 

The biggest cyber security threat we see in 2021 is phishing. In the last year phishing attacks have increased by 600% in part because of remote working, but also because they are a highly successful vector for cyber criminals.

In this video interview, Gary Duke, shares why this is and how you can protect your organisation from this cyber security threat.

Learn more about Phishing & Security Awareness as a Service here >

It’s an undoubted fact that the global pandemic of 2020/21 will leave businesses operating in a vastly different landscape to just twelve months ago, with many making considerable alterations to the way in which they function. One such adjustment will be the urgent need for greater vigilance when it comes to cyber threats; something that affects businesses and organisations both large and small.

Quick to capitalise on the disruption caused by remote working and compromised security away from office machines, cyber criminals ‘prospered’ in 2020. According to stats disclosed by it.pro.co.uk, there was a massive 20% rise in cyber security threats compared to 2019, with ransomware attacks alone surging by 80% in the UK in the third quarter of the year.

Throughout 2020, attacks in the UK (and around the world) hit the headlines. Most recently on reuters.com, the SolarWinds hack was hailed by Microsoft President, Brad Smith, as “the largest and most sophisticated attack the world has ever seen”. But in every other month of the year, a well-known UK business or organisation reported an incident, including a HMRC phishing message to the self-employed in June; a TV License text scam in August; an M&S spoof ad in October used to harvest personal information; and a hack at Manchester United in November. These were just the tip of the iceberg.

5 reasons why cyber security awareness is key

So, what key lessons can be learned from these key attacks in 2020? How can you make your business safer in the new environment ahead?

1. Phishing and spam are more sophisticated than ever before

Anyone can be taken in by a polished scam, and phishing is evolving with plenty of new twists. Expected to remain a significant threat in 2021, the danger is refining quickly. Watch out for ‘spear-phishing’ (where individual victims are researched first and then contacted directly); ‘vishing’ (voice phishing, where a voice message purporting to be from your bank or another service provider informs you that your account has been compromised); ‘smishing’ (the same as above, but done via SMS text messages); and ‘angle phishing’ (where the criminal uses social media feeds to discover companies with a poor customer service experience and then poses as a member of the support team in a direct message to targets).

2. Simulating an attack can expose vulnerabilities before it’s too late

The SolarWinds attack shows how clever a ransomware attack can be, and they are – or should be – a great concern for companies and organisations of all sizes. One of the best ways to understand your own vulnerabilities is to simulate a ransomware attack on your own system, discover where your weaknesses are, measure the ability of your business to detect and respond to the breach, and then fix the problems. One key learning to remember: According to techtarget.com one of the most overlooked vectors of attack are wireless guest networks.

3. It’s important to test the integrity of the software you use

Be more rigorous in how you test the software you have on your network. Don’t simply accept a vendor’s third-party validation or an automated code review. Manual reviews are much more robust, allowing for proper interrogation of codes and updates, and are much more likely to detect any vulnerability and limit potential damage.

4. Staff awareness of threats and risk could prevent most attacks

This sounds like common sense but is so often overlooked. At every step of the way, the most efficient method of limiting the damage from cyberthreats to your company is to keep you and your staff trained about the risks.

5. Don’t just check everything once – it’s a continual process

Again, this part is important but frequently shelved when people are busy. Build it in to your IT calendar and make it a priority.

Phishing & Security Awareness as a Service

Phishing & security awareness tools are designed to tackle the issue of users being a weak link in your IT security.

Yet many organisations struggle to get the most from these resources. No matter how many training videos and security awareness tools you have at your disposal, to be effective you need to regularly run awareness campaigns and achieve high levels of employee engagement. This is usually a manual process and can be a drain on resources.

That’s why we have created a service that manages this workload for you.

Cloud Business’ Phishing & Security Awareness as a Service boosts security with regular phishing awareness campaigns run on your behalf.

• Fully managed service – A managed service offering a minimum of 6 phishing/training campaigns per year.
• Train your users – Access the world’s largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters.
• Phish your users – Improve awareness by running extra simulated phishing attacks whenever you want.
• See the results – Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!

If you’d like to find out more about this service, please get in touch with our team.

Is your business at risk from cyber attack because employees aren’t aware of security risks? Find out by asking them to take this quiz! If they score poorly it’s time to put in place some robust cyber security policies, raise awareness of the risk and provide training and support so that your staff are not a cyber risk. 

Cyber Security Vulnerability Quiz

Answer the questions below, then scroll down to find the answers and learn more about keeping your organisation safe from cyber attack.

Q1. Which of the following passwords is most secure, according to IT experts?

a. F00tBall1!

b. football

c. 123456

Q2. Which type of cyber-attack is commonly performed through emails?

a. Trojans

b. Phishing

c. Ransomware

Q3. If you receive an email containing an attachment from a sender you don’t recognise, should you:

a. Open it

b. Delete the email

c. Alert the IT security team

Q4. What kind of cybersecurity risks can be minimized by using a Virtual Private Network (VPN)?

a. Key-logging

b. Use of in-secure Wi-Fi networks

c. De-anonymisation by network operators

Q5.  Whilst online, you notice a new pop-up window which tells you that a virus has been found on your computer and is harmful. The window provides a button to click, which will allow you to start rectifying the issue. The best thing you can do now is:

a. Hit the back button and see if the pop-up window disappears

b. Hover your cursor over the button and take a look at the URL shown. If the address looks legitimate to you, click on it. If it looks like a scam link, close the window immediately

c. Immediately close down both the browser window and the pop-up window

Q6. When it comes to backing-up your computer, how often should you be doing this, ideally?

a. Whenever you upload new photos, files or create important documents which you don’t want to risk losing

b. Only when you think there might be an imminent problem in retrieving files in future

c. Once a week

Q7. Which of the following could help protect your computer against malware and viruses?

a. Only downloading software from trusted sources

b. Ensuring that, via your IT Team, a credible antivirus program and a two-way firewall is installed

c. Ensuring you always update your computer with system updates when prompted

Q8. What does ‘social engineering’ mean in a security context?

a. A form of social deception driven by gathering information, fraud or accessing systems

b. Particular systems built in a certain way, so that society finds them easier to use

c. Where somebody takes advantage of social media channels in order to steal personal data

Q9. When you’re using public networks, what’s the best way to protect any communications made from your mobile device?

a. Use your browser’s ‘private browsing’ function

b. Turn off your mobile device’s file sharing ability

c. Use a Virtual Private Network or VPN

Q10.  Over the last few years, there’s been an emerging IT security threat, and it can happen anywhere in the world. Cyber criminals are able to lock down a user’s computer through the use of malware, and then demand money from the user in order for the access to be restored.  

What is this emerging threat called?

a. Botnet

b. CryptoLocker

c. Ransomware

How did you do? Here are the answers to our cyber security quiz:

Q1. Answer – a. ‘F00tBall1!’

According to 2017 stats published by SplashData, ‘123456’ is the most commonly used user password, with ‘football’ ranking 9^th.

Answer ‘a’ of ‘F00tBall1!’ however, embodies some best practice tips – including the use of at least one special character, a mixture of numerical characters, uppercase and lowercase letters, and it is at least 8 characters long.  Therefore, this is the most secure password you could have chosen out of the three options.  (Ideally though, your password won’t be based on any existing word from the dictionary!) 

Q2. Answer – b. ‘Phishing’  

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, password and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Q3. Answer – c. ‘Alert the IT security team’

You should never open an attachment from an unknown source, and you should also be wary of any attachments send by trusted sources if you’re not expecting them (they may have had their email accounts compromised). If you think it’s a phishing email or is simply not of interest to you, just delete it. But if you think the information may be important but you’re not 100% certain of the source, let your IT support team know.

Q4. Answer – b. ‘Use of in-secure Wi-Fi networks

A Virtual Private Network (VPN) allows users to create an encrypted connection between their devices and the internet, making it much harder for anyone other than the user to see their activity. 

Q5. Answer – c. ‘Close the browser window and pop-up window’

It’s the type of situation where it’s best to take no chances. It could be that the website you were on has been hacked without the business’s knowledge – or, it’s a fake site which has been built with the sole purpose of defrauding people. If you think it may be the former, get in contact with the business in question to make them aware of what’s happened – they might not know that their site has been compromised.

Q6. Answer – a. ‘Whenever you upload or create new and important files’

It depends on how often you create new files, documents, upload pictures and so on, but if you’re doing this kind of thing frequently, you ought to back up your system on a regular basis to prevent loss / not being able to revert to an original file if it ever gets corrupted. A good frequency to follow for most people is once a week.

Q7. Answer – a, b and c!

A trick question! The answer here, is all three. These steps should be taken together as ‘bare minimum’ measures to protect your hardware from hacking attempts, malware, data loss and viruses.

Q8. Answer – a. ‘A form of social deception’

Social engineering is a complex form of social deception, which takes advantage of vulnerable people so as to manipulate them with the main aim being to defraud them. An example might be where someone is fooled into revealing their password for something.  

Q9. Answer – c. ‘Use a Virtual Private Network or VPN’

Whilst it would be partially correct to have picked ‘turning off your device’s file sharing ability’ as an answer, it would not ultimately prevent risks from the public network.  However, ensuring that you’re employing the use of a VPN would be a solution – think of it as a secure, private ‘tunnel’ that is built over a public network. It guarantees that there’s end-to-end communication security.

Q10. Answer – c. ‘Ransomware’

Answer b. – ‘CryptoLocker’ is actually an example of a ransomware. In a nutshell, it’s a type of malicious software (malware) used by attackers to restrict access to computer systems or data. Today, a large proportion of phishing emails link to ransomware.

If you didn’t score as well as expected, speak to your IT team or information security officer about some additional training or support. If you head up your IT department and would like to us to help you protect your systems and data with awareness raising exercises and training, please get in touch.