Earlier this year, in the midst of a global pandemic, the HSE (Health Service Executive) fell victim to an elaborate cyber attack. Not only did this result in an immediate shutdown of all IT systems across the HSE, but it has left a lasting impact on the health service and its patients throughout the country.
This cyber attack has proved to be a stark reminder of how reliant we are as a society on online systems for our business and personal interactions, not to mention the impact experienced as a result of a shutdown.
It also highlighted the importance of providing users with sufficient and consistent training in order to avoid such attacks.
What are social engineering attacks?
The phrase ‘social engineering attack’ can cover a wide range of activities with a malicious intent that are conducted through human interactions. Cyber criminals use psychological manipulation to trick the users into giving away sensitive or confidential information, which in turn greatly compromises their security.
The most dangerous part of social engineering is that it relies on human error, rather than weaknesses with software and operating systems. Social engineering is based on the theory that humans have a natural tendency to trust others, allowing the perpetrator to easily trick someone into giving out important personal details.
What kind of social engineering attacks should I be aware of?
There are five key types of social engineering attacks.
Phishing Attack:
This attack is typically delivered in the form of an email, chat, web ad or website and has been designed to impersonate a real system, person or organisation. Often the user will be asked to verify log-in information, which then gives the perpetrator access to systems and data.
Baiting:
This is similar to phishing but offers something to entice the user. The ‘bait’ can be a physical item, such as a flash drive with the user’s company logo that may pique an employee’s interest. It could also be in digital form, such as a free movie download that delivers malicious software directly into the user’s system once downloaded.
Scareware:
This involves the user receiving emails or pop-up messages in their browser with a warning that their system is infected with malware and an offer to install a tool (that is indeed infected with malware) to fix the issue.
Pretexting Attacks:
This is the human equivalent of phishing, where the hacker creates a false sense of trust between them and the user by impersonating a co-worker, a member of the police, a bank representative, a tax official or some other figure of authority. This type of attack is usually initiated by the perpetrator pretending to require details such as passwords or logins, in order to carry out a crucial task.
Quid Pro Quo:
This technique involves the hacker offering some type of service or benefit in exchange for login credentials. Usually, the service offered will be free IT assistance or a technology upgrade via a phone call from the hacker, claiming to be from a reputable IT company.
The importance of cyber awareness training
As technology advances and social engineering cyber-attacks become more elaborate and frequent, it’s vital that businesses take the necessary steps to protect their operating systems against cyber attacks.
According to PWC’s 2020 Irish Economic Crime Survey, 69 percent of firms in Ireland have experienced cyber crime in the last 24 months and the incidence of cyber crime in Ireland is double that encountered by global companies.
Additionally, with many employees working remotely as a result of the global pandemic, the risk of companies being exposed to a cyber attack has increased. Both of these developments have created substantial issues for business owners, with a recent survey listing them as top areas of concern for 65 percent of Irish companies.
These statistics highlight the importance of cyber awareness training, but what does this entail?
Cyber Security Awareness training
Cyber awareness training provides employees with the necessary skills to improve their IT security practices and identify social engineering attacks.
The training is designed to educate employees on the best practices when it comes to cyber security, as well as teaching participants how to report potential cyber attacks. Password security is a key feature, as password protection is top of the queue when it comes to protecting sensitive and valuable information. It is also vital that employees understand the role they play in helping to combat information security breaches.
In order to be successful, cyber awareness training needs to be consistent for all current employees and part of the training process for all new employees.
Just 1 in 4 Decision Makers Feel Fit To Respond To An Incident
While most large Irish firms have experienced problems with phishing, hacking, cyber fraud, or other cyber attacks, a recent survey revealed that only one in four decision makers are confident in their ability to respond to any security incident effectively.
When it comes to cyber security, it is the human element that is the most vulnerable link. With that, it is in every organisation’s best interest to ensure that all members of the team – including new recruits – are confident in identifying potential threats. And with the growing and ever-evolving level of sophistication of cyber attacks, the training should be ongoing and updated frequently to allow for new types of cyber threats.
What does cyber awareness training involve?
The good news is that rolling out cyber security awareness training within your business can be a very simple and affordable process, and Calnet have the perfect training package with four key elements:
- Baseline Testing uses simulated phishing attacks to access the percentage of users within your business who are prone to attack.
- Train Your Users uses automated training campaigns with scheduled reminder emails that trains users with a combination of interactive modules, videos, games, posters and newsletters.
- Phish Your Users gives your business access to fully automated simulated phishing attacks, with thousands of templates, unlimited usage and community phishing templates.
- See The Results – the final step – provides a variety of reports which cover actionable statistics and graphs for both security awareness training and phishing, ready for management.
Our cyber security awareness training combines regular online training with simulated attacks and in-depth reporting to dramatically reduce the risk of your business falling victim to a genuine cyber attack. Contact us today for further details on how we can help you protect your business from this moment on.
