As businesses continue to move more services online and adapt to remote work they should be aware of the cyber risks. Most organizations’ cyber defenses are stronger today than they were in the early days of digital adoption, which means it’s harder to break into an organization purely based on technical methods.
Almost all modern cyber-attacks against businesses use an element of social engineering to get gaining an initial foothold. That’s why it’s important for employees know some of the common ways they could be tricked into giving up a piece of information that will be useful to a cyber criminal.
What kinds of threats are employees exposed to? What can happen if an employee is lured into an attack?
Here is an example: An employee gets a phone call from someone who claims to be on the IT service desk. The attacker could say they are testing employee security tokens to make sure you won’t be locked out next time they use the VPN.
They may use another piece of information gathered elsewhere — like the name of a manager. This might lend authority to the request in the employee’s mind. The cyber criminal could ask for the employee’s token code, then use it to log in over VPN and gain access to the network.
What systems or training programs should businesses have in place to train employees?
Phishing exercises: Phishing, malware, and privilege escalation are three kinds of threats all employees should look out for.
- Phishing attacks use email or other messaging services to try to get an employee to disclose sensitive information, like a password, credit card numbers or routing numbers.
- Some phishing attacks cast a wide net and send messages to a large number of employees. Even if just a few share information, it can be worth the cyber attackers’ efforts.
- Spear phishing is a similar tactic targeting an individual employee. Attackers may use personal information available online to make the attacker sound like a trusted, such as a colleague at your company.
2. Malware is software designed to compromise systems or steal data. Sometimes malware is used to access systems, such as databases. In the case of ransomware, the goal of the attacker is to encrypt your data so you can’t use it until you pay a ransom after which the attackers provide details on how to decrypt your data.
3. Privilege escalation occurs when an attacker uses a software vulnerability to get access to systems they shouldn’t have. For example, a cyber criminal may exploit a software bug that allows them to give themselves administrator privileges, which they may then use to steal sensitive information.
Vulnerabilities and how they are exploited
Vulnerabilities are flaws or weaknesses in applications, systems or employee procedures that may allow a cyber criminal to gain access to company information. Vulnerabilities come in a wide range of forms. One type of vulnerability is a bug in the software. Another is misconfigured systems — for example, a network firewall that doesn’t block access to your network. A third type of vulnerability is an employee who is unaware of potential threats, how to spot them and how to avoid them.
Signs of a cyber attack or scam targeting your company
One sign of a potential attack might be unusual activity on your systems. For example, you may notice your systems suddenly slowing down, taking more processing power than normal. Or a new account may be created outside of normal procedures. If you see an unusually high amount of network traffic leaving your systems it may be an indication of data thefts.
Protect employees and help reduce the risk of successful cyber crime
You can protect yourself and your organization by educating employees and following several basic but important security practices.
- Train all staff to detect phishing, smishing and other messaging lures. On a busy day, it’s easy to glance quickly at an email, click on a link or respond without considering the origin.
Tip: Both you and employees should take 2 minutes to evaluate emails to help recognize phishing lures.
- Every employee who uses a system should have their own login and not share logins. Employee login credentials should be secured so they are not accidentally or inadvertently shared.
- Do not provide private or confidential information until validating the person contacting the company is who they say they are.
- Have clear procedures to follow when validating and identifying callers prior to giving any privileged information.
- Use malware detection software on devices — even home and personal devices. If you allow employees to use personal devices to check work emails or access work applications, malware planted on a personal device may be used to attack systems at work.
- Secure home offices and mobile devices. Only access work applications or systems using encrypted networks. Be sure to configure your routers to use strong encryption on home networks, change the administrator password on routers, and keep router software up to date.
- Understand what data in your systems contain private and sensitive information. Protect company data by limiting employee access to only those who need it to do their job.
- For sensitive or high-risk operations, consider separating responsibilities to two or more people. For example, a financial transaction may have both an initiator and an approver.
Cyber criminals can be persistent and creative. Educating and protecting your employees can help them become a strong first line of cyber defense for your business.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.