Posts Tagged :

VIPRE

How can businesses combat easy email security mistakes?

960 640 Stuart O'Brien

It’s no secret that threats to email security are on the rise. According to a recent survey, 92% of organisations were victims of successful phishing attacks in 2022, while 91% of the respondents admitted to experiencing email data loss. By not implementing sufficient email security strategies, companies open themselves, their clients, and their customers to cyber security incidents such as phishing, data breaches, and business email compromises (BEC). It’s not just external cyber threats that businesses need to be mindful of, there is the human element to heavily consider.

With so many email-related incidents and data loss, the question arises of how businesses can do more to prevent these events. Oliver Paterson, Director Product Management, VIPRE Security Group, explores more…

The wrong email recipient

With an increase in hybrid employees, the traditional single office-based computer setup is now becoming less popular within businesses. The pressure on employees to work harder, better, and faster makes it easy to understand why they don’t always verify the validity of the email address they are sending information to, especially now that smarter technology like autofill in Outlook is advancing rapidly. But, while it might just seem like an innocent mistake, it could have far reaching consequences.

For example, that was the case with a university in the UK, where the personal medical details of a student were wrongly sent to the whole campus. Or when Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including a whistleblower’s identity. An employee entered an incorrect character when emailing someone with the same last name but a different first initial.

It only takes one incorrect character or autocorrect taking over for sensitive information to land in the wrong inbox. And, what if that recipient is a competitor or intercepted by a cyber criminal?

Sending email attachments to the wrong contact

Another common user error is sending the wrong attachment to the wrong person. This could put company data at risk. The release of confidential corporate information, such as unpatented new product information, to the wrong person or into the public domain can result in a major advantage for the competition or can even harm the reputation of the company beyond repair.

In addition, organisations now face severe consequences for violating data protection regulations, including GDPR and other industry-specific regulations. By investing in a data loss awareness tool that increases email security, businesses can take advantage of features such as prompting employees to confirm all internal and external recipients, and flagging attachments that contain confidential information to ensure your intended distribution list is correct.

For example, Surrey County Council was served with a penalty of £120,000 after three data breaches that involved misdirected emails. This included a staff member sending an email with the personal data of 241 individuals to the wrong email address. The information was not encrypted so was instantly accessible to the recipient and a direct breach of data protection regulations.

To BCC or not to BCC?

Adding in email recipients is a task that may seem simple, but if not done correctly, can have devastating repercussions for businesses. The misuse of CC and BCC functions could expose your entire contact database, exposing customer emails to potential hackers or competitors.

In March 2023, NHS Highland was reprimanded for a data breach which revealed the personal email addresses of people invited to use HIV services. Such a mistake is a common error when sending emails and that often go undetected or unreported in many cases. However, it is considered a data breach because none of the involved parties have consented to share their contact details with others.

Considering technology, companies should look to implement solutions that warn and educate people to use the CC and BCC fields properly. However, this problem is for more than just BCC and CC misuse; and companies should consider the issues of sending information as much broader.

The use of autocomplete, reply all, errors adding attachments, and lack of user awareness about the information contained in the body and attachments are all significant security risks that businesses with sensitive information need to be aware of.

Data breach – accident or intent? 

More than 300 billion emails are sent each day, so it’s no surprise that misaddressed emails are the largest source of data loss for organisations. Hackers can take advantage of complacency within email culture with a number of techniques. For example, disguising emails to appear as though they are an internal email, whereas they actually come from a spoofed domain that looks almost identical to the real thing. In an organisation that sends so many emails every day and work so quickly, employees may not notice this and fall victim to a malware or ransomware attack, exposing the network and sensitive information.

On the other end of the scale are data breaches conducted with malicious intent. For example, the Morrisons insider threat breach was carried out by a disgruntled former employee who stole and published payroll data of nearly 100,000 staff members online. His aim was to disparage the reputation of his former employer after a disciplinary matter. The breach reportedly cost the company £2 million to rectify.

With emails accounting for such a big part of the way we communicate professionally, particularly when working remotely, it’s important to be aware of and educated about the common email mistakes that often occur. Businesses can support their employees and reduce the risk of a data breach by implementing intuitive technology that detects and highlights errors, pointing out potential errors and threats.

Investing in technology that warns users about poor email security techniques by providing a simple safety check and prompting them to recheck a message twice before sending all without impacting employee productivity allows organisations to quickly reduce errors. These solutions can prevent organisations from revealing the wrong information to the wrong person by allowing a quick double check of the receipts of emails and attachments before sending them.

Conclusion

While foresight is essential, so is the ability to prepare a smart defence. Businesses can implement best practices to protect themselves from email threats and prevent becoming the next easy target. These best practices include:

  • Implementing a layered email security strategy
  • Training employees for better security awareness
  • Deploying email-specific security controls

The email safeguards businesses can implement today will have a broader and more lasting impact as the organisation grows. When implementing these best practices, it’s essential to partner with the right email security vendor to ensure the company’s email security solutions are tailored to the company’s size and scale with the business’ growth.

Image by Gerd Altmann from Pixabay

Getting your cyberSecurity foundations right

960 640 Stuart O'Brien

Over 2022, the cybersecurity industry continued to accelerate, with rising numbers of attacks (global attacks increased by 28% in the third quarter of 2022) and sophisticated methods.

Yet, recent research found that the majority of securityleaders believe that their organisation is still falling short in addressing cybersecurityrisks, with a lack of investment in cybersecurity (26%), inadequate training (24%) and security application (24%). 

With no sign of cyber attacks slowing down over 2023, these numbers are a cause for concern, as businesses continue to leave the door wide open to be infiltrated without the basic cybersecurity strategies in place.

Investing in cybersecurity should be at the top of businesses’ priorities for the new year, and a 360-degree approach is key – combining technology solutions, email protection and security awareness training, according to Usman Choudhary, Chief Product Officer, VIPRE

Education is Key 

Humans are the first line of defence when protecting an organisation against cybercriminals, as the employees make the final decision to open an email, or click on a link. However, research found that in 2022, 82% of breaches were due to human error.

If employees are not trained nor educated on the cybersecurity landscape, they cannot be expected to spot cyber attacks, protecting themselves and the business.  Therefore, it is crucial that organisations implement SAT (Security Awareness Training) programmes regularly, rather than a tick box exercise annually. This training is designed to help the user understand their responsibilities when it comes to keeping the company secure and preventing attacks, empowering them with the knowledge and skills to be more security conscious as part of the overall IT securitystrategy and protection.

Additionally, by making the workforce more confident, it means that there is less reliance on stretched IT teams and those who work from home can feel more empowered when they don’t have instant access to the IT team.

EDR Technology to Enhance Cybersecurity Protection 

As well as companies improving their employees’ knowledge of cyber threats, implementing technology can further support cybersecurity strategies by adding a second layer of protection against attacks.

Digital solutions such as Endpoint Detection and Response Technology (EDR) can be used to support organisations in monitoring, flagging and alerting cyber threats – such as ransomware and malware – by using endpoint data collection software installed into machines. If any suspicious activity is detected, the system is triggered. EDR technology can also block malicious activity, temporarily freezing an infected endpoint from the rest of the network, stopping any malware from spreading.

Email Prevention Tools

Email is considered the main method for both internal and external communication in any organisation – with 347.3 billion emails expected to be sent and received daily over 2023, which is a 4.3% increase from 2022. However, email is also a key entry point for a cyber attack, with 1 in 99 emails being a phishing attack. Therefore, ensuring that email communication is kept secure is vital.

Mistakes can easily be made – but they can also be easily prevented. Sending an email to the wrong person, or opening a malicious attachment can have catastrophic consequences. But, by having email prevention tools in place, users can feel secure with this extra layer of protection when sending and receiving emails internally. This is because such tools can alert the user to take a crucial ‘double-check,’ confirming that the recipient or attachment is correct, which will in turn, help to eliminate data leakage due to autocomplete errors.

Conclusion

In 2023, businesses must ensure that their cybersecurity strategy is prioritised and invested in. Whilst it may be difficult to predict the year ahead in terms of cyber attacks and tactics, businesses should be prepared for the threat landscape to continue to evolve, with bad actors continuing to innovate new methods for attacks. However, by adopting a 360-degree approach, organisations can cover all potential risks by empowering their employees with both education and technology, including email prevention tools, EDR technology and security awareness training programmes.

A multi-faceted approach to cybersecurity is crucial against the modern threat landscape, but it is best if these security strategies work in tandem, rather than separately. This approach means that businesses and its users will be given the confidence and reassurance they require, effectively closing any potential gaps for attackers to exploit, transforming its security posture for the year ahead.

How financial organisations can stay protected from financial data breaches 

960 640 Guest Blog

Email is a crucial function of business communication, which many organisations strongly rely upon. But as the pandemic brought a new world of remote and hybrid working, it’s arguably more important than ever to keep both individuals and organisations connected – wherever they may be.

A staggering 333.2 billion emails are sent and received daily – but in turn, it’s inevitable that typos can occur or the wrong attachments are sent to the wrong person. However, whilst innocent mistakes can happen, the consequences could be much more devastating.

The consequences of sending an incorrect email within the financial industry, in particular, could be drastic – both in terms of a firm’s reputation and legal penalties. Within an industry that deals with sensitive and valuable information, it’s vital that financial organisations prioritise keeping their confidential data secure, explains Andrea Babbs, UK General Manager, VIPRE…

At What Cost?

IBM’s latest Data Breach Report revealed that 2021 had the highest average data breach costs in seventeen years, rising from $3.86 million in 2020 to $4.24 million. Particularly within the financial services industry, research indicates that cybercrime is more prevalent in this sector compared to any other. Both external and insider breaches are equally as dangerous, but human errors are almost twice as likely to result in data disclosure.

For example, if human errors occur in the financial services when sending internal emails, such as including the wrong individuals in CC, or attaching the wrong document, this can cause serious issues as it may be perceived as ‘Insider Trading.’ If two departments are working for two directly competitive clients, and accidentally share non-public, material information about one another, this could put either team and/or client at an unfair advantage by having this insight.

Depending on the size of the breach will determine the size of the cost. However, at a minimum, there will be penalties. Not only could there be a financial loss for the organisation, but companies will have to pay for audits to understand what happened, and what protocols need to be put in place to prevent further attacks, as well as compensating customers who were affected by the breach.

Additionally, the aftermath of a data breach is far worse than just financial loss. Businesses in the finance sector have reputations to uphold in order to preserve a loyal customer base, especially in such a demanding and competitive market. Yet, failing to protect sensitive customer information can result in negative press, which can, in turn, make existing and potential customers apprehensive about an organisation. This can potentially result in them taking their business, and money, elsewhere.

Strategy Checklist

A layered cybersecurity strategy is key in any industry in order to mitigate cyber threats and keep sensitive information secure. However, within the financial sector, it’s more important than ever as the stakes are much higher. When considering a cybersecurity strategy, three components should be considered:

  1. Encryption and Authentication: Security protocols are designed to prevent a majority of instances of unauthorised interception, email spoofing and content modification. When a hacker is attempting to infiltrate a company, they may try to intercept emails via transport links or attack systems directly. Whilst encryption services do not protect businesses against human error, including them in your email security strategy will help to protect companies from hackers intercepting emails.
  2. Training and Guidelines: It is essential that businesses put in place strong security rules and guidelines concerning the movement and storage of sensitive financial information. This should also provide clear guidance on the steps employees should take if a security incident occurs.  Additionally, when employees first join an organisation, they should take part in cyber security awareness training. However, this should be an ongoing programme to ensure that all employees understand the role they play in keeping their organisation safe. As part of this training, automated phishing simulations should be included to demonstrate how these threats can appear in order for the user to identify them, and act appropriately. Following this training, key metrics and reports can be provided on how the users are improving, or where more education is needed. By fortifying key security messages across the workplace, combined with simulated phishing attacks, continuous training ensures that individuals are able to identify potential attacks, whilst providing them with the necessary skills to handle the risks.
  3. DLP (Data Loss Prevention): It is crucial for businesses, especially financial firms, to deploy security measures for the detection and prevention of potential email threats, both internally and externally. Humans play a key role in deciding what is safe to send, and what is not – but DLP solutions can support this process by providing the necessary alerts. For example, colleagues exchanging confidential documents across different areas of the business means that the CC fields are likely to have multiple recipients in them. An incorrect email address is likely to be overlooked without a tool in place to highlight this error to the user, and instead, provides them with the opportunity to double-check the accuracy of the email recipients and attachments.  Supporting staff with a crucial second chance helps to raise awareness and understanding of existing email threats, and provides that essential security lock-step – before it’s too late.

Conclusion

Email will remain an essential platform for communication, but will continue to be a high-risk tool for businesses and employees to communicate both internally and externally. And, particularly for financial service organisations, as they remain a prime target for cyber hackers given the temptation to access personal information and financial transactions. Therefore, the finance industry must prioritise cyber security and invest in a layered approach, which must include security awareness training and data loss prevention tools, in order to minimise human error and provide the strongest possible defence in the modern security landscape.

Investing in channel support to survive the evolving security landscape

960 640 Stuart O'Brien

Security is a growing concern across every industry, particularly now with the growth of dispersed workforces around the world. Cyberattacks continue to increase and become more sophisticated, with businesses of all sizes needing to invest in the right support. This is even more crucial for small and medium-sized businesses (SMBs), who may lack the adequate internal resources and teams to protect themselves against such threats.

But, by partnering with an established Managed Service Provider (MSP) who can act as a trusted advisor to create a solid cyber security strategy, SMBs can benefit from the knowledge, skills and solutions available within the channel. MSPs, therefore, need to ensure they leverage this opportunity to support their end customers, while businesses crucially make the necessary investment to keep their network, data and people secure, as Mike Foster, Channel Manager, VIPRE, explains…

COVID-19 Transforms the Market

With businesses accelerating their digital transformation during the COVID-19 pandemic to ensure business survival and continuity, there has been a knock-on effect on cybersecurity strategies, which now must be prioritised and invested in. Over the past eighteen months, organisations have had to transition to working securely and efficiently from home, and then splitting their time between the office and remote work, in turn, creating new security challenges. This has demonstrated the crucial need for organisations to become more agile and have the ability to scale both up and down when regional rules change.

The importance of a secure and flexible workforce, one which is protected through layers of security and best practice, is key. This can be executed successfully by identifying existing weaknesses or gaps in infrastructure, which can be easily spotted by channel partners who specialise in cybersecurity. By leaning on an MSP, businesses can benefit from having access to the right support and advice, and MSPs, in turn, can offer the correct solutions to combat the challenges their clients face. This has led to organisations questioning issues such as; are the emergency measures put in place during the peak of the pandemic sufficient for long term secure and agile working practices? What tools do customers need to remain secure in the new modern hybrid working environment? It is clear that now is the time for businesses to reassess and build a flexible, future-proof plan.

The Trusted Advisor to SMBs

Smaller and medium-sized businesses often do not have the resources, time or dedicated teams to focus on their IT needs, while ensuring they have the right solutions in place to defend themselves against cyberattacks. They also do not think they are as much of a target for hackers, as they may not have as much revenue or data compared to larger and more corporate organisations, with 66% believing a cyberattack would be unlikely. However, according to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, and only 14% are prepared to defend themselves.

Instead, by partnering with an MSP who can act as an external security partner for the SMB to help them achieve cyber resilience, the pressure and responsibility of defending the business against cyber threats will lay with the expert in the channel. This creates a unique opportunity for MSPs to guide customers on their cybersecurity journey and ensure they are receiving relevant education and have the right technology and tools in place to protect the business. It also helps the MSP to differentiate themselves from the ever-growing and competitive channel market, enabling them to become trusted IT security advisors for the businesses they support.

Critical Support Partner

Whether a business is big or small, investing in its cybersecurity foundations is not optional – it’s business-critical, especially in today’s threat landscape. By identifying the gaps in their cyber needs, or allowing an MSP to make these judgments, a strong infrastructure can be built upon the businesses existing setup. These solutions can be custom-built and tailored to each individual organisation, including email and endpoint protection, ongoing end-user training, as well as access services, such as ZTNA solutions.

With security breaches showing no signs of slowing down, MSPs must be constantly vigilant and develop cyber resilience approaches that go beyond deploying security solutions. This means having not only the market-leading technology available, but also the technical expertise to support business security plans and growth. MSPs must take a proactive role in understanding the current state of a customer’s ability to protect against, prevent and respond to modern cyber threats when recommending the best approaches to true cyber resilience.

For example, MSPs who roll out Office365 to their client base are not tapping into their customers’ needs for peace of mind when it comes to cybersecurity. Instead, they should add value to the partnership by emphasising good cyber security practices, providing the right tools and technologies and looking at specialist vendors – rather than providing a one-size-fits-all solution. Channel partners can both capitalise and draw on the importance of demonstrating to customers the benefits they bring by continuing their role as trusted advisors – resulting in growing their revenue while ensuring their key partner status.

Investing in Technology

An MSP’s portfolio should provide the correct tools and solutions businesses need to survive and thrive in the new normal. Businesses of all sizes prioritised their move to digital workspaces during COVID-19, including remote teamwork, learning and critical cloud infrastructure, with Microsoft’s Chief Executive saying that they’ve seen two years’ worth of digital transformation in two months. Innovative technologies can form the backbone of a workforce’s security foundations by adding layers of technology protection alongside employee tools and security awareness. Solutions can be embedded to prompt users to double-check their emails before a mistake is about to be made, for example, mitigating the risk of accidental data loss.

Additionally, security awareness training within businesses has become a security necessity. Without peer review or IT supervision, organisations need their users to be empowered to make good security decisions. Rather than a once-a-year cyber awareness course – often used to tick a compliance box – today’s businesses must invest in ongoing training, phishing simulations and solutions to help their employees make the right decisions – wherever they are working.

This is an important point for channel partners to take on board, as they have the power to ensure their customers’ end users are sufficiently trained in the threat landscape. Have they engaged in phishing penetration testing? Is sending an email to the wrong person an embarrassing mistake or a data breach? These are just some of the key questions MSPs should be asking when they look to fulfil their trusted advisor role. This is an area where partners will see real growth as businesses have woken up to the idea that with the right solutions, they can switch their employees from IT risks to IT assets, and the channel needs to ensure they have the necessary training and tools in place to help their clients make these decisions.

Conclusion

Organisations cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. Within the evolving cybersecurity landscape, it’s essential for businesses, especially SMBs, to find a partner that offers a varied portfolio of security offerings, as well as the knowledge and support, to keep their business data, workforces and networks secure.

By addressing pain points and providing assurance around the security of their working environments, channel partners can build and strengthen their existing relationship with their customers, while recognising the opportunity of additional revenue streams for their businesses. In turn, businesses can feel confident that they have the right technology, education and tools in place to combat the risk of cyberattacks and a trusted partnership they can rely on to keep them secure and agile.

Cybersecurity: The crucial double check 

918 612 Stuart O'Brien

Cybersecurity has quickly become the world’s fastest growing form of criminal activity, and is showing no sign of slowing down with the number of attacks on businesses continuing to increase. COVID-19 has acted as a catalyst for this, with hackers taking advantage of remote workers during challenging times.

Despite innovations and sophistication in hacking methods, one of the main means of data loss is insiders, including employees making mistakes. Humans make errors – stressed, distracted employees will make even more mistakes. And with sensitive information on the line, such as regulatory compliance to safeguarding Intellectual Property (IP), companies are increasingly concerned about the risk of inadvertent data loss. But how can this threat be mitigated?

Andrea Babbs, UK General Manager, VIPRE SafeSend, emphasises the importance of implementing a crucial double check to improve email security culture…

Human Error 

Business reliance on email is creating a very significant cyber security risk – and not simply due to the increasing volume and sophistication of phishing and ransomware attacks. Given the sheer volume of emails sent and received a day (over 300 billion every day in 2020), mistakes are inevitable. Employees are trusted with company-sensitive information and assets, and many are permitted to make financial transactions – often without requiring additional approval. Furthermore, with strict data protection requirements in place, not only GDPR, but also industry specific regulations, organisations clearly require robust processes to mitigate the risk of inadvertent data loss.

According to reports, 34% of all breaches are caused by insider fault, yet many employees are unaware of their responsibility when it comes to data protection. Should confidential corporate information fall into the wrong hands, the consequences could be devastating, including financial penalties, loss of trust and competitors gaining an advantage. BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. But how could this mistake be stopped? What employees need is a way to better manage their email functions, with an opportunity for potential mistakes to be flagged before an individual hits send, for example showing who is in the to, cc and bcc fields.

Additional Layers 

Few organisations have a clear strategy for helping their employees understand how a simple error can put the company at significant risk; even fewer have a strategy for mitigating that risk and protecting their staff from becoming an insider threat. But more importantly, what they may not be aware of is that there is a solution available that can add a layer of employee security awareness.

Businesses can help employees avoid simple mistakes, such as misaddressed emails, by providing a simple safety check, which alerts users to confirm both the identity of the addressee(s) and, if relevant, any attachments. The solution can be configured to work on a department or user basis, for example, a business may not want HR to be able to mistakenly send sensitive personal information to anyone internally and therefore require a confirmation for all emails.

In addition to confirming email addresses and attachment(s), the technology can also check for keywords within the email content using Data Loss Prevention rules, and each business can set its own requirements and parameters determined by corporate security protocols. Any emails, including attachments containing these keywords, will be flagged, requiring an extra process of validity before they are sent without impeding working practices, and providing users with a chance to double check whether the data should be shared with the recipient(s).

The Essential ‘Pause’ Moment 

Deploying an essential tool that prompts for a second check and warns when a mistake is about to be made helps organisations mitigate the risk of accidental error, and the potentially devastating consequences that might have on the business. Accidentally CCing a customer, rather than the similarly named colleague, will be avoided because the customer’s domain will not be on the allow list and therefore automatically highlighted. This is more crucial than ever before with employees dispersed across a range of locations as part of hybrid working. Such tools can support mixed operating system environments and DLP add-ons can be given to certain departments and groups who handle very sensitive information such as employee or legal data.

This type of tool is key for companies and reinforces a security culture, building on education and training, with a valuable solution that helps users avoid the common email mistakes that are inevitable when people are distracted, tired or stressed. It provides an essential ‘pause’ moment, enabling individuals to feel confident that emails have been sent to the right people and with the right attachments.

In addition to checking the validity of outbound and inbound email addresses and attachments, it can also support in minimising the risk of staff falling foul of a phishing attack. For example, an email that purports to come from inside the company, but actually has a cleverly disguised similar domain name, such as receiving an email from V1PRE, as opposed to VIPRE. The technology will automatically flag that email when the user replies showing that it is not from an allowed domain, enabling the user to cancel send and avoid falling for the phishing attack.

Conclusion

Email is arguably the key productivity tool in most working environments today, placing much of the responsibility for secure use of that tool on employees. But supporting staff with an extra prompt for them to double check they aren’t mistakenly sharing confidential data helps to raise awareness, understanding and provides that essential security lock-step – before it’s too late. The premise is not to add time or delay in the day to day management of email; it is about fostering an attitude of awareness and care in an area where a mistake is easily made

No organisation is immune to human error, but by having a clear strategy in place to address the issue of misaddressed emails and data loss through emails, as well as mitigating the associated risks helps businesses to remain compliant and secure. It’s all about increasing awareness and improving email culture where mistakes can so easily be made, while reinforcing compliance credentials.

Keeping cybersecurity initiatives on track

960 640 Guest Blog

The West Midlands Train service has come under fire after workers discovered that an email promising them a bonus payment after running trains during the pandemic was actually a phishing simulation test.

Around 2,500 employees received a message which appeared to come from Julian Edwards, Managing Director of West Midlands Trains, thanking them for their hard work over the past year under COVID-19, and that they would get a one-off payment as a thank you.

However, those who clicked through on the link were then emailed back with a message telling them it was a company-designed ‘phishing simulation test’ and there was to be no bonus. The email warned: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”

Since the test has been revealed, the train service has received media backlash for promising a fake financial reward to well-deserved teams. However, the modern threat landscape is constantly evolving, and it’s vital that businesses prepare their workforces against any type of threat. So was this a good test of resilience? Andrea Babbs, UK General Manager, VIPRE, explains...

Fight Fire with Fire

In order to be successful in the fight against cybercrime and protect the network, businesses should not be afraid to fight fire with fire and sometimes stoop as low as the phishers themselves – who have no morals. By using a powerful message and incentive such as the suggestion of a bonus provided by West Midlands Train Service, businesses can gain valuable insight into how their employees could be tricked into clicking on a phishing link, and why they need to ensure their staff are trained for any type of attack.

However, the test has clearly upset West Midlands’ employees, and could have been done in a less dramatic way so that it wasn’t either ethically or morally questionable. Particularly during a pandemic where our frontline workers, like those in the transport industry, have continued to put themselves at risk over the last year. The idea of a bonus in the current challenging environment seems deserving as an act of recognition for their above and beyond service – but for this to be a test, rather than the promised reward, is particularly hard-hitting for those involved.

Finding the Balance

It is vital that organisations take the time to train and educate their staff so that they become an additional line of defence in an organisation’s cybersecurity strategy. However, IT teams also need to rely on users’ goodwill to encourage them along the cybersecurity journey. This test by West Midlands Train service may have damaged that goodwill, and could disillusion some members of staff.

Rather than mentioning a bonus, the train service could have mentioned a change to pay, or date of payroll. Both of these statements would have had the same instinctual reaction in employees, without having heightened emotions surrounding the letdown of a non-existent bonus.

Importance of Education 

Regardless of the incentive behind the West Midlands phishing test, the fact that employees clicked on the link highlights the need for businesses to perform these types of tests in the first place.

Cybercriminals will stop at nothing to get users to click on a phishing link, download a malicious attachment or fill in their details on a forged website, and will use personal or professional information to lure them into doing this.

Therefore, employees need continuous training to identify and avoid these attacks. Going forward, businesses who are looking to deploy such phishing tests should try using less exciting topics to trick their users in order to avoid any bad will or backlash from their employees, and the media.

One way to achieve this is to implement Security Awareness Training programmes which incorporate real-life situations, including phishing simulations – that are less emotive. This educational material will help organisations to fortify crucial cyber threat prevention messaging and educates workforces on how to protect both the business and themselves.

The Key to Cybersecurity is an Educated Workforce

960 640 Guest Blog

The United Kingdom’s National Cyber Security Centre (NCSC) handled a record number of cybersecurity incidents over the last year, a 20% increase in cases handled the year before. With the increasing number and more innovative nature of cyber attacks, businesses of all sizes must prioritise cybersecurity. However, the fundamental starting point of any organisation’s security infrastructure must be a trained and aware workforce, who understand their responsibility in keeping business data safe. Oliver Paterson, Product Expert, VIPRE Security Awareness Training and Safesend, explains…

Business Size Doesn’t Matter

Whether a business is a start-up or a larger corporate organisation, all companies are at risk of a cyber-attack. We often see million-pound enterprises on the news when they suffer from a data breach, such as Estée Lauder, Microsoft and Broadvoice. But, no organisation is too small to target, including small and medium-sized businesses (SMBs), who are the target for an estimated 65,000 attempted cyber attacks every day, according to new figures. Unfortunately, these types of businesses may not have the same infrastructure and resources in place to survive such attacks, as it is found 60% of small companies go out of business within six months of falling victim to a data breach or cyber attack.

No matter the size of an organisation, the effects of a cyber attack can be devastating financially, as well as having longer-term damage to business reputation. Small businesses remain at the same level of security risks as those which are larger, for example, Volunteer Voyages, a small single-owned organisation, did not deploy the right level of security and fell victim to $14,000 in fraudulent charges using its payment information. Similarly, the entrepreneur who owns Maine Indoor Karting accidentally clicked on a malicious email pretending to be from his bank warning him of unfamiliar activity, resulting in clearing out his account. Nevertheless, SMEs can safeguard their data and themselves from these types of attacks by investing in their cybersecurity and being conscious and informed of the threats they face. 

Human Error

As the year-on-year number of cyber attacks continues to accelerate, hackers are also becoming more advanced and innovative in their tactics. They are able to spot weaknesses in workforces, particularly preying on those who are working from home as a result of the ongoing pandemic, away from their trusted IT teams. In fact, a recent survey found that 90% of companies faced an increase in cyber attacks during COVID-19.

It is no surprise that hackers use humans to their advantage, as according to data from the UK Information Commissioner’s Office (ICO), human error is the cause of 90% of cyber data breaches. Humans make mistakes – stressed, tired employees who are distracted at home will make even more mistakes. Whether it’s sending a confidential document to the wrong person or clicking on a phishing email, no organisation is immune to human error and the damaging consequences this can have on the business. 

Yet, these risks can be mitigated by educating workforces on the modern threat landscape and the existing risks. Teamed with anti-malware solutions and technology, such as VIPRE’s SafeSend, employees can be alerted to double-check their email attachments and recipients, as well as any potentially malicious incoming emails.

Cybersecurity Training 

Businesses cannot solely rely on digital tools to protect their operations, information and people. However, they cannot expect workforces to understand and identify existing threats, as well as avert them from taking place, without education. Particularly, small and micro-businesses lack the resources and knowledge to defend against an attack, with a concerning 81% of organisations not receiving any training on cybersecurity. 

Without this cognisance, workforces cannot stay ahead of the persistently evolving threat landscape. It is therefore essential that businesses choose the correct training programmes to get the most value and retention out of this learning. While deploying an annual security awareness training programme may satisfy instant requirements, it does not equate to a continuous defence strategy for ever-changing threats.

The key considerations include the length of the programme, the level of engagement, having a variety of multimedia content and ensuring it is relevant and relatable to a global audience. Adding in real-life situations and intriguing employees with diverse content, including virtual reality and phishing simulations, helps to fortify crucial cyber threat prevention messaging and educates workforces on how to protect both the business and themselves. This, in turn, strengthens the workforce security culture, ensuring employees know what to do when faced with a cyber threat.

By working with a successful vendor, such as VIPRE, that has access to the appropriate security solutions and expertise, they can help CISOs create and foster a good security culture, making security part of the vision and values of everyone in the organisation. 

A Responsible Workforce 

Once workforces are trained and educated on the existing security risks, it is vital that they also understand their responsibilities when securing an organisation’s IT infrastructure. Traditionally, IT teams are often perceived to have a key role in ensuring the right security measures are in place, and it’s up to them to defend the business against hackers. However, this is not the case, particularly for SMBs who may not have a committed IT unit to rely on. 

Especially now with dispersed workforces and social distancing restrictions in place, the help and support from those in IT is not so immediate. Now more than ever, the responsibility must be reinforced throughout the entire business. In order to combat imminent threats, employees who are on the front lines of the business’ cyber defence must understand that they have a key role to play in keeping data safe. After all, the final choice in sending sensitive information via email or downloading an external attachment is with them. 

Forrester’s latest report re-iterates this, as it states that “Organisations with strong security cultures have employees who are educated, enabled, and enthusiastic about their personal cyber safety and that of their employer.” The combination of having a vigilant and empowered workforce, supported with regular training and innovative tools, allows businesses to benefit from a security-first initiative with an educated and responsible culture long-term. 

Data security in the new business world

960 640 Guest Blog

By Andrea Babbs, Country Manager and Head of Sales for VIPRE Security Limited

With many businesses having to overhaul their operations overnight to enable their staff to work from home due to Covid-19, maintaining as close to business as usual was an absolute priority. But in the rush to implement collaboration tools to get employees up and running for business continuity, cyber security was pushed further down the list of priorities, potentially putting organisational data at significant risk. 

Many businesses may have already had some level of cyber security protection in place, but the shift in working environments and practices means that the emphasis on data security must be reinforced. Some IT security leaders have seen a 30,000% increase in Covid-19 themed attacks, as cyber-criminals continue to use the current global crisis as an opportunity to target potentially vulnerable end-user systems. With a de-centralised workforce, there is an even greater need for employees to take responsibility for keeping sensitive company information secure, and not just rely on security software to assume the role of data guardian. 

Harder, better, faster

While the transition to remote and flexible working has been implemented gradually across many organisations over the years, the overnight change triggered by government protocol has had a dramatic impact on employee working practices. With no peer review or easy access to conversational questions to quickly ask: “does this email look strange to you?”, employees are potentially at increased risk of falling foul of phishing scams. 

Add to this the heightened pressures of staff feeling the need to work harder, faster, for longer and demonstrate how much they are actually working when at home, it’s no surprise that mistakes are made. For example, responding to emails immediately rather than taking the time to stop and think whether the email is actually genuine, or giving out sensitive information over the phone to be seen as helpful during a difficult and stressful time. 

Reinforcing responsibility

With tools to support employees that reinforce the need to think before they press send on an email, and consider whether it is authentic or not, employees can assume some of the responsibility for keeping data secure. And as 53% of data breaches are classified as insider, clearly the workforce has a critical role to play in an organisation’s cyber defence strategy. 

Businesses can support employees to avoid commonly made mistakes such as forgetting to attach a document when you wrote that you had, or sending misaddressed emails or attaching incorrect information by deploying technology such as VIPRE’s Safe Send which provides a simple safety check. This provides the user with a prompt prior to any email being sent, reminding employees to double check and confirm the addressee and what has been attached. Parameters can also be set to add certain domains to an allow list, or the solution can be deployed on a department or user basis. For example, financial data is highly sensitive, so may require confirmation for all emails, but another department may only need checks on external emails. 

Certain keywords can also be defined, so when those keywords are identified within an email – an unreleased new product name, for example – an additional confirmation is prompted before the email is sent, allowing for that all important double check that the right person is being sent the right information. 

Technology provides a vital piece of the cyber security puzzle through high quality layered protection that covers email security, web and end-point protection. As the threat landscape is arguably evolving at a faster rate than ever before, coupled with the workplace shifting to a new normal – these tools have never been more critical.

Focusing on the user is also key, educating them and empowering them to take some responsibility for data security, supported by innovative software – not just relying on the IT department. Those that adopt such an approach will be far more successful than those that rely on technology in isolation. 

The race to normality

In the rush to keep ‘business as usual’ during such uncertain times, businesses may have inadvertently made their security infrastructure vulnerable to data breach – be that from external threats or accidental insider data leakage. As we slowly make the transition from home working to moving back to the office, or transforming to a hybrid workforce, security needs to be reinforced yet again, with a combination of reminders, prompts and continuous training. 

Employees are a vital tool in a business’ arsenal, so they must be regularly trained and reminded about how they can stay one step ahead of cyber threats. But it’s human nature to make mistakes and as such, employees must be appropriately supported with intuitive technology that can spot anomalies, errors and factors that fall outside of set parameters to highlight where potential threats, scams and faults are about to take place.

Hacking

GUEST BLOG: Combatting the threat of accidental insider data leakage

960 640 Guest Blog

By Andrea Babbs, UK General Manager, VIPRE SafeSend

Cybercrime has rapidly become the world’s fastest growing form of criminal activity, and is showing no sign of slowing down with the number of attacks on businesses rising by more than 50% in the last year alone.

While most corporates have made significant efforts to invest in cybersecurity defences to protect their organisations from the outside threat of cybercrime, few have addressed the risk of breaches that stem from the inside in the same way. Insider threats can come from accidental error, such as an employee mistakenly sending a sensitive document to the wrong contact, or from negligence such as an employee downloading unauthorised software that results in a virus spreading through the company’s systems. 

We’re all guilty of accidentally hitting send on an email to the wrong person, or attaching the wrong document; but current levels of complacency around email security culture are becoming an ever greater threat. Few organisations have a clear strategy for helping their employees understand how a simple error can put the company at significant risk; even fewer have a strategy for mitigating that risk and protecting their staff from becoming an inside threat. 

So where does the responsibility lie to ensure that company data is kept secure and confidential? 

According to reports, 34% of all breaches are caused by insider fault, yet many employees are unaware of their responsibility when it comes to data protection. With employee carelessness and complacency the leading causes of data breaches – understandable when human error is inevitable in pressured working environments – there is clearly a lack of awareness and training. And while there is an obvious and urgent need for better employee education, should IT leaders not be doing more to provide the tools that take the risk of making accidental mistakes out of employees’ hands?

With simple technology in place that provides an essential double check for employees – with parameters determined by corporate security protocols – before they send sensitive information via email, accidental data loss can be minimised and an improved and proactive email securityculture achieved. In addition to checking the validity of outbound and inbound email addresses and attachments – thereby also minimising the risk of staff falling foul of a phishing attack – the technology can also be used to check for keywords and data strings in the body of the email, to identify confidential or sensitive data before the user clicks send.

In order for organisations to limit the number of insider data breaches, it’s crucial for employees to understand the role they play in keeping the company’s data secure. But in addition to supporting employees with training, deploying an essential tool that prompts for a second check and warns when a mistake is about to be made, organisations can mitigate the risk of accidental error, and the potentially devastating consequences that might have on the business. 

Email is arguably the key productivity tool in most working environments today; placing the full burden of responsibility for the security of that tool on employees is both an unnecessary overhead and, increasingly, a security risk. In contrast, supporting staff with a simple, extra prompt for them to double check they aren’t mistakenly sharing confidential data raises awareness, understanding and provides that essential security lock-step – before it’s too late.