Practice management

Cybersecurity: train employees to be your ‘human firewall’

Teaching employees to have greater awareness and understanding of threats offers organisations a chance for cybersecurity where staff become a ‘human firewall'.

About the author Alastair Murray is director of the Bureau.

Organisations large and small continue to debate how to improve their cybersecurity awareness. Some firms, through their General Data Protection Regulation compliance, are making good progress, but few organisations seem able or willing to grapple with the number one cause of cybercrime: human error.

Whilst many firms say they understand the risks, few take these threats seriously enough. At the same time, firms cannot decide what to do, often because of the impenetrable language used by security software suppliers to describe their services, not to mention all the acronyms (see left)!

Humans are the prime target

The need for strong firewalls, anti-malware software and operating system patching is now understood; the big issue continues to be the human factor. It is estimated that less than 1% of attacks are now targeted at system vulnerabilities, with staff curiosity and a trusting nature the cybercriminal’s weapon of choice.

Phishing fraud

E-mail remains the primary attack mechanism, with malicious spam, ransomware, hacking and phishing fraud continuing to be delivered this way. Making phishing e-mails even more effective is social engineering.

The widespread use of social media by private individuals and businesses is a valuable source of information. With so much being published, it is relatively easy to piece together profiles through which to steal personal data, passwords, identities, Cloud system logins and bank details, to name a few. Social engineering is used to attack huge multi-national organisations, small- and medium-sized enterprises and small enterprise firms of five staff or less, in any industry, and in the homes of private individuals.

I am not a target

There continues to be no correlation between the size of targeted audiences or industry types and the number of attacks they receive. Large multinational organisations are attractive for their deep pockets, but smaller companies remain vulnerable owing to their relative lack of cybersecurity controls and awareness. Both continue to prove lucrative for cybercriminals.

Phishing e-mail delivery trends continue, with 2018 and the first six months of 2019 seeing few delivered over the weekend and the majority - over 32% - delivered on Mondays, presumably to exploit employee tiredness and the general urgency of Monday mornings. This then gradually drops off in frequency as the week progresses.

Popular phishing e-mail subjects are associated with food, diets, health, miracle cures and herbs; romance is another, of course, and financials - in the form of competition prizes - are all regulars. In addition, cybercriminals will exploit human disasters by latching onto charitable appeals for aid, with fake websites designed to look like the real ones. Every year these scams are highly profitable.

Malware

Improved attention to operating systems patching has helped reduce the damage malware once caused to unpatched software. However, malware distribution continues to be an effective method when human interaction is engaged. Malware campaigns distributed in 2018 and 2019 that rely on users to click web links or attached documents or download macros, whilst ignoring security pop-up prompts continue to prove very successful.

Social engineering

Social engineering remains a key strategy for cybercriminals. Convincing management and employees to ‘click’ requires work and knowing who to target. By focusing on finding the identities of those with access to the purse strings or special privileges and those with influence inside an organisation, it is quite easy to fake their identities and pass them off as real. In addition to these specific staff targets, criminals find ‘shared accounts’, where staff share a login, even easier to crack.

Fake domain names play a role in this kind of deception, where the criminal will marry up a known e-mail to a very similar looking domain. At first glance, it will look like the real e-mail address but it will not be. Watch out! Look at the e-mail address line very carefully. Some now use https:// URLs and SSL certificates to look convincing.

The use of what is called ‘spray and pray’ phishing techniques is being replaced by a new focus on attacking the ‘right people’ in an organisation for both phishing and malware distribution. The acronym ‘VAP’ (ie, very attacked people) is now used to describe this group.

Armed with e-mail addresses found on websites through trade association memberships, qualifications, and social media where management and employees show off their details, it is relatively easy to build a phishing campaign. Using almost identical domain names, sometimes with a secure https://SSL certificate address for added credibility, it is easy to then add the e-mail address. It may not be the same address, but early on a Monday morning or late on a Friday, it is easy to be caught out!

Humans behaving badly

Cybercrime is never the result of something that could not be prevented. Cybersecurity awareness is becoming the new trick to learn to protect businesses from phishing e-mails that lead to ransomware demands, hacking, malware downloads and the theft of Cloud login credentials.

The top cyber insurance claim cause for reported cyberattacks is ‘human error’ through phishing e-mails and or social engineering scams. It seems we just cannot stop ‘clicking’ those links and attachments. Exploiting the human factor is almost second nature to cybercriminals, who continue to tempt employees to reveal sensitive information and install unnecessary updates on malicious page links.

Popular targets

Education, financial services, healthcare, legal services, manufacturing, and retail are all popular targets at the moment. Education is targeted, ie, schools and universities, for their relative lack of security. Cyberattack incidents, such as school bursars inadvertently handing over the login details to the school’s Cloud services, end up in costly claims.

House property sales is another favourite simply because of the financial sums involved. Often a conveyancing solicitor will be targeted for their association with the property sale, and again hoodwinked into handing over Cloud or similar credentials to allow the criminals in, usually without the victim’s knowledge. This can then lead on to sophisticated scams of fraud, each with its own name, such as ‘man-in the-middle fraud, ‘business e-mail compromise fraud’, and the old favourite ‘funds transfer fraud’, each with its own acronym of course!

The human factor

Cybercrime statistics all blame human error for the vast majority of claims. The approach to a working day in the oÿce must change to allow for the possibility of a cyberattack in all its forms: preparing for such an event gives business the best chance to avoid it.

Cybersecurity-awareness training continues to be the most undervalued way to protect an organisation from phishing e-mail attack. State-of-the-art online continuous cybersecurity awareness training platforms are popping up all over and slowly beginning to be noticed.


* Correct as at October 2019. Please note that the details presented in this glossary may, from time to time, be changed, updated or removed. It is advisable to double-check that the relevant acronym is still current before using this information.


Member-to-member advice on CPD Policy Meets Practice Applying reflexivity to legal practice Coronial work shadowing: observing a day in the life of a coroner Becoming a judge: my role and how you prepare for application Exciting new developments at HM Land Registry HMCTS: exploring the future of open justice Justice in Wales for the people of Wales: a review of the Welsh justice system In conversation with the Chief Coroner for England and Wales The Grenfell Tower Inquiry: observations so far