The answer is unequivocally yes. As you can see on cybersecurity threat maps like Norse » and Kapersky Labs », there are millions of attempted cyberattacks globally on a daily basis. These attacks cover the gamut of cybersecurity threats and include network scans, vulnerability scans, viruses, intrusion detection, phishing attempts and botnet activity. Threat maps like these work by creating sensors and honeypots that emulate or mimic real systems, sites and devices. Security companies monitor these “fake” devices for attacks so that they can determine how attacks work and can then program their security systems to prevent these attack vectors.
Now you may be saying to yourself that I work at a small, non-profit organization and nobody has any interest in attacking us. Well, according to the U.S. Department of Homeland Security, 31% of all cyberattacks are directed at companies with fewer than 250 employees, and the average cost of a data breach for a small business is $38,000.
Unfortunately, at this time criminals see your employees as the path of least resistance into your company. According to Kapersky Labs, 42% of confidential data loss is from employees, the largest single cause of data loss.
The three most common attack methods targeting employees are Social Engineering, Phishing and Waterholing.
Social Engineering involves tricking employees to give up sensitive information through social interactions. It’s much easier to convince an employee to give up their password than it is to get around computer security policies. You should train your employees to be on the lookout for these attacks and to avoid giving out information over the phone or email. Staff should also verify visitor credentials and ask if they can help strangers they might see in the office.
The majority of targeted attacks are delivered via email. Phishing emails try to get employees to click on dangerous links or open infected attachments. Your employees should be alert and ask themselves questions such as:
- Does the email list one URL but point to another?
- Does the email ask for personal information?
- Did someone send me an attachment that I’m not expecting?
Employees should be alert and notify IT of anything suspicious. Also, never open an attachment you weren’t expecting, even if it comes from someone you know.
Waterholing is infecting the code of a website with malicious code that tries to execute just by visiting the page. This most often is delivered via advertising on webpages. Most people don’t realize they can be infected just by visiting a website. Employees should be trained not to click “Allow” or “Confirm” on websites unless they are absolutely sure.
Employee education is the main element to preventing a cybersecurity incident. Education along with solid security policies and an IT staff that stays on top of new threats will go a long way in preventing a cybersecurity incident.