As we approach the end of 2021, we can safely say ransomware has dominated the virtual airwaves. It is a very visible thorn in the digital ecosystem and during the pandemic, the world saw unprecedented levels of this type of attack.
From the assaults on various water supply companies and oil and gas providers, to criminals bringing the health service in Ireland to a standstill, there have been some extremely high-profile ransomware attacks and this is just the tip of an extremely large iceberg as there are many that have flown under the radar.
What’s clear is that businesses of any size are potential targets for indiscriminate cybercriminals who are leveraging social engineering and phishing techniques to target the workforce and breach organisations. In fact, research shows in 2020 alone, $18 billion was paid globally in ransom and total costs were in the hundreds of billions of dollars, while other studies state ransomware will cost $20 billion in 2021 with this estimated to grow to $256 billion in damages by 2031.
Looking into this further, KnowBe4 evaluated the top causes for ransomware and found social engineering to be the top root cause for allowing ransomware to get into organisations. Social engineering includes tactics like phishing, vishing, Business Email Compromise (BEC) scams and any tricks a hacker can use to get employees to click on a malicious link.
We are continuing to see an increase in phishing, including those that use common HR-wording and communications. It is clear that cybercriminals are moving away from the well-known Nigerian prince phishing scams filled with grammatical errors to more sophisticated business-orientated schemes. Therefore, security teams must take the necessary preventative steps to stop hackers from duping employees, entering the perimeter and stealing sensitive information.
HR is vulnerable
In fact, research shows that more individuals are being duped by HR-themed phishing attacks, with a significant rise in phishing email attacks that are related to new policies that would affect all employees. This includes phishing emails that contain the following email subjects: ‘Vacation Policy Update’, ‘Important: Dress Code Changes’ and ‘Remote Working Satisfaction Survey’.
This is just the tip of a very large iceberg. Those in the HR department need to be especially wary of BEC scams. These highly successful attacks involve cybercriminals sending correspondence to unsuspecting employees in an organisation whilst pretending to be a CEO or a senior member of the company or a business partner. Typically, those who are targeted have access to company finances with cybercriminals tailoring their emails to trick the worker into transferring money to bank accounts thought to be associated with the so-called ‘trusted individual.’ There are many high-profile examples of BEC attacks with governments and multi-international enterprises losing millions after employees have been tricked.
It goes without saying that HR and Finance departments need to be made aware, especially as BEC scams have evolved further. Hackers are impersonating existing employees to request bank accounts to be updated for their salaries. If successful, at the end of the month, the salaries are then deposited into the hacker’s account. By making direct contact with the HR or finance department, the attacker is avoiding any third-party security systems allowing them to control the situation. Depending on when the employee checks their accounts, this scam could last for weeks or months.
What can be done?
Organisations need to understand cybercriminals will continue to evolve their tactics to ensure their scams are successful. Simply spending large sums of money on the latest security tools in the market to try and solve the problem will not work – mainly because there is not a silver bullet to security. Instead, a strategy and process that improves the general security awareness and culture of the workforce is required.
This can prove difficult initially, but dedicating resources to strengthening the security culture of the organisation can be just as important, if not more so, in building the necessary resilience to social engineering scams. What it requires is boardroom leadership to understand cybersecurity is a top priority for the business and should not considered security to be an afterthought. It is a business enabler, because without it, the company is vulnerable.
Begin by allocating a small amount of time weekly for security awareness training for the whole organisation, which will include learning about the scams, reading and watching various resources, and understanding the security policies in place. In addition to this, sending simulated phishing campaigns is a good way to test the workforce and gain a benchmark on knowing where the company is at in terms of its knowledge.
Furthermore, a mindset change is required. Instead of viewing the workforce as an area of weakness, see them as the organisation’s biggest asset. Yes, without proper training, employees can be a liability to any security program which is why providing the necessary resources will help to create a human layer of security for the company.
To kick start the training process, there are many free training materials including videos, checklists, advisory articles and templates to follow that are readily available online. These will not have the top-tier capabilities that you would find with a subscription or a managed service, so this is an option for organisations that want to begin introducing their staff to security threats and reduce the risk of them succumbing to such threats.
Other free tools available include ransomware and phishing simulators that can help test the preparedness of the business to deal with such situations. There are online password checkers that can grade the strength of details used to log into accounts and you can find a vast amount of free security hygiene and best practice modules to help educate the wider workforce.
For enterprises that want to take the next step and see what vendor options are available in the security awareness space, seek out those who have a large pool of content (ideally this can be modified and tailored to your specific needs). The offering should also have a large portfolio of tools and features dedicated to social engineering attacks, both in terms of reporting and remediation, while also focusing on the human element of security by raising awareness about social engineering tactics.
Employees within an organisation that hold positions of power or influence, whether it be the CEO or individuals in the HR and finance departments, will always be high on the list of targets for hackers. It is up to the IT and security departments to create a well-designed security strategy that combines people, processes and technology to effectively protect these individuals and the wider organisation.
Concentrate efforts on raising the security IQ levels of the workforce, as this area has the greatest potential for change in the fight against social engineering threats. People can be the biggest asset in identifying and reporting fraud, they just need the right environment to learn and develop. Once this is provided, before you know it, they are more vigilant and the level of risk to the organisation has been reduced.