Do you make sure that your employees shred confidential information and correctly configure web services? Do you know if they access information they shouldn’t or send sensitive information to people outside the organization?
If you don’t, you’re not alone. Verizon’s 2018 Data Breach Investigations Report has revealed that 25% of data breaches over the past year were caused by insiders, and the majority of incidents were the result of simple mistakes or malicious intent. The other major contributing factor is socially engineered attacks, such as phishing, in which crooks exploit employees’ lack of cybersecurity knowledge to steal information or plant malware.
Verizon’s report found that organizations are nearly three times more likely to be breached via socially engineered attacks than technological vulnerabilities.
Email (96%) is by far the most common source for malware-spreading socially engineered attacks. Phishing can also occur on social network sites, by text, or over the phone, although in these instances crooks are more likely to trick people into handing over personal information.
Phishing methods change often and take advantage of topical concerns. For example, tax season always leads to an increase in phishing emails claiming to be from the IRS. Phishing is also subject to copycat attacks. If one method proves particularly effective, others will use a similar approach. Verizon highlights one such instance – the rise in “pretexting” attacks, in which scammers pose as the organization’s CEO to try and convince finance departments to transfer funds. This method led to 400 confirmed data breaches in the past year, according to Verizon.
Technological defenses such as spam filters can mitigate the risk of phishing, but they shouldn’t be relied upon. Employees will inevitably receive the occasional phishing email, and when that happens, the only thing preventing a breach is the employee’s ability to recognize it as spam and respond appropriately.
“About 80% of people are doing the right thing,” said Gabe Bassett, senior information security data scientist at Verizon and co-author of the report. “On the other hand, they could be doing better. They could be reporting when they see that phishing email, which would give the IT department the opportunity to figure out who the people are who didn’t recognize this, and who are going to click it.”
The best way to help employees improve their ability to spot a phishing email is to educate them. Our Phishing and Ransomware – Human patch e-learning course provides an ideal introduction to socially engineered attacks. It explains what phishing and ransomware are, describes the link between them, and demonstrates how attacks work.