IT Security

Are my staff the company’s biggest security weakness?

20/07/22

A controversial but important question all businesses should be asking. Resolve’s Technical Specialist Craig explains why…

Companies under attack

More and more organisations both big and small are awakening to the very real threat of cyber attacks, especially now that ever-more sophisticated and destructive attacks are making global headlines year after year.

Find out how to make your workforce aware of security risks with our 'transforming worst practices' whitepaper

Organisations from all sectors are falling victim to large-scale ransomware attacks or successful phishing attempts; having to shell out thousands to recover encrypted data or mistakenly paying a supplier invoice into an attacker’s bank account.

Our Biggest Weakness

Quite often, the large majority of an organisation's cyber security budget is spent implementing protections based on technology. Things such as Anti-virus, Firewalls, VPN Appliances, 2FA solutions, etc. All whilst seemingly neglecting the biggest weakness of all…people.

People are an integral part of every organisation. However, as people, we are creatures of habit. In some ways this is great, it allows us to focus our attention on the things that matter to us. However, sometimes we fall foul of that nature when it matters the most.

Another typical Monday…

It’s a typical Monday afternoon and you receive a seemingly benign email from a supplier asking you to make an expected payment for previous services, but this time into a different bank account as they are having internal system difficulties.

As you were expecting a payment request from this supplier, you think nothing of the change of details and pay the invoice as requested (they have explained the situation after all).

A few hours later, you receive a legitimate email from the same supplier requesting payment of the same invoice. Except that this time, it has the bank details you would ordinarily expect and does not mention the internal system issues.

IT Disaster

Unbeknown to you, a malicious actor has been monitoring your email and struck with perfect timing to dupe you into following your habitual instinct, paying the invoice as requested.

Would your organisation fall victim to this type of attack?

What processes do you have in place that would stop this type of attack from being successful in your organisation? Even the biggest of global organisations are falling victim and for staggering amounts of money too.

This technique, known as social engineering, exploits our trusting nature as people and tricks us into doing things that we recognise enough not to be suspicious of, but leads to an unintended error such as paying the wrong person or unintentionally exposing confidential information.

So what can be done to dispel IT security disasters like this?

Unlike the complex world of IT security, the answer is a simple one - diligence. Most attempts to exploit us can be thwarted at the first step. We must be aware of our exploitable nature and when there are risks involved, we must take a step back and evaluate our actions to ensure everything is as it seems. The below four steps are a good way to keep on top of potential disasters…  

1. Verify the source

Ensure you can confidently verify the source of every request, especially faceless requests via email or over the phone. If you are unsure, always double-check and request confirmation from the requesting party.

As people, it is our responsibility to remain vigilant. We are the first line of defence in protecting our organisational secrets and data, but we can also be a yellow brick road leading directly to the prize. That usually being money or data.

2. Question everything

A contact that has changed a process without previously notifying you should always sound your internal alarm bells. There is absolutely no harm in questioning things that don’t seem right, after all as the old saying goes ‘better safe than sorry’. If something seems unusual, be the person to intervene and request a different method of contact for confirmation. Received a request via email? Give them a call to confirm it is legitimate. It may seem trivial, yet being suspicious of all requests, particularly requests that have a sense of urgency attached, is a sure-fire way to keep yourself, your organisation and your customers protected against social engineering.

3. Be risk-aware

By being aware of the risks out there, and keeping up to speed on the latest scams, you are essentially minimising your risk of falling foul to an IT security disaster, as you will be more confident and knowledgeable on what to watch out for. We regularly post about the latest scams on our blogs, social media and company newsletter by means of educating our audience, and the latest big scams and hacking techniques also tend to feature in the national news on a regular basis too.

4. Break the cycle

Changing your own (and your employees) habits and instincts may seem like a huge challenge, yet with the right training, attention and repetition, being vigilant will soon become second nature, just like it is to brush your teeth in a morning, or lock the door when you leave the house. For some additional pointers in the right direction, be sure to check out our whitepaper on How to Transform Employee Worst Practices into Enterprise Best Practices'.

Got any questions on the above? Be sure to throw them our way. Our aim is to inform, educate and satisfy your IT security needs, so if there is anything else you should wish to know we will try our upmost to provide the answers!

let's start the ball rolling

Fill in the form or use the contact details below and we’ll get our expert team to put together a package that’s personal to your business.

hello@resolve.co.uk
0114 299 4050