Making cyber-awareness training and spoofing protection mandatory in the digital workplace
Published: 25th November 2022
Depending upon your line of work, there are numerous mandatory training courses which form an essential and everyday part of the job. If your role is physical, for example, then health and safety training is the norm. Food hygiene training is required for anyone working with consumables, as is DSE training for those working in front of a computer screen.
No matter the course, they are all designed to educate and safeguard employees on the hazards they may face during the working day, to minimise the risks to themselves, others and the wider company. However, one of the biggest risks facing almost every business today is not always afforded the same dedicated and essential training.
Ever-growing digitalisation and reliance on technology is a cybercriminal’s playground. New tactics are being developed every day to dupe unsuspecting employees into giving away confidential information or clicking on something they shouldn’t, putting both themselves and the business at increased risk. As a result, phishing attacks and domain spoofing have now become one of the biggest, if not the biggest, risks to UK organisations and their employees – with phishing alone accounting for 83% of attack vectors in a recent 2022 Cyber Security Breaches Survey.
Much like understanding how lifting a heavy box correctly can prevent injury, an increased awareness of the threat landscape and how to spot phishing attacks, for example, can prevent employees giving away sensitive information or clicking on a seemingly legitimate link in an email which could have devastating consequences for the business.
With 95% of all cybersecurity issues traced to human error, according to the World Economic Forum’s Global Risks Report 2022, it begs the question – why isn’t cyber-awareness training mandatory for all businesses?
The risk of phishing attacks and spoofing
Social engineering attacks, including phishing and domain spoofing, can cause untold damage to both an organisation and individual. Recent cases affecting Dropbox, American Airlines and Interserve show not only the severe consequences of these types of attacks – both financial and reputational – but that no organisation is immune to human error.
With cybercriminals becoming more thorough in their attention to detail it can be hard to identify a real email from a rogue email. A quick glance at a domain address on an email before responding might not be enough, with spoofing tactics becoming a growing concern.
The email domain status of every company is publicly available so it’s not hard to duplicate and catch out unsuspecting victims. Indeed, a recent report from the Office for National Statistics (ONS) found that in a two-week period alone, more than 1,500 reports were made to the suspicious emails reporting service (SERS), run by the National Cyber Security Centre, about scam emails pretending to be legitimate energy rebates from Ofgem, the energy regulator.
With cybercriminals exploiting key world events and situations for their own gain, including the energy crisis, football World Cup and the imminent Black Friday and Cyber Monday weekend, the human element can often undo the protection afforded by even the most robust security solutions – in a second.
Businesses have a responsibility to their staff, clients, and the supply chain to ensure vulnerabilities in their attack surface are addressed. When infiltrated, it’s not just a company’s data and IP that are targeted. Cybercriminals will often use passwords and usernames gleaned through phishing to steal client data to sell on or use an attack to further infiltrate the supply chain and access more lucrative targets.
Some of the key first steps to ensuring a robust approach to cybersecurity and to mitigate the risks caused by human error are to apply cyber-awareness training across the workforce and reduce the chance of your company being spoofed.
No matter what your industry or size of business, ensuring all employees from every department undergo regular training will provide the skills needed to spot a fake supplier email from a legitimate request. There is no substitute for staying up to date with the latest risks and being informed to reduce susceptibility to phishing attacks.
Understanding the role played by strong passwords, how to identify phishing emails, and verify the legitimacy of a link or web address is just the start of the process. When combined with sophisticated security tools like enterprise firewalls, your business will reduce its attack surface.
Whilst the type of phishing threats and tactics deployed are numerous, there are some underlying tips which all employees should always follow to safeguard themselves and the wider business from attack:
- Think before you click. If something seems suspicious or too good to be true, then it probably is.
- Always check website security. Look for the ‘https’ in the URL and if a security warning message appears then go no further.
- Remain vigilant when it comes to pop-ups. Most browsers will allow you to block pop-ups but they can slip through the net and be a phishing attempt.
- Check for spelling mistakes in sender details or company domains in emails. A quick scan won’t always pick up the errors and are designed to catch you out.
Much like the cyberthreat landscape is always evolving, training is not just a one-hit-wonder. It needs to form part of employees working life, to regularly refresh their knowledge and have the insights needed to keep up to date with the latest threats so they can sift through emails with confidence and know the right approach to take if anything looks suspicious.
As phishing attacks become more sophisticated, cyber-awareness training needs to be prioritised, in order to strengthen the human firewall. Not only will this mitigate risks to businesses, it will also reduce the risk of supply chain attacks, as well as prevent any emotional damage to those that have been targeted.
By making cyber-awareness training mandatory, we can increase security across all organisations in the UK and continue to improve our response to national cyberthreats.