Employee Security Awareness Training is Critical to Prevent and Manage Data Breaches
In an age where most breaches occur from social attacks, Security Awareness Training is critical to help keep you safe from attack. According to Verizon’s 2018 Data Breach Investigations Report, “phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%).” That represents a major vulnerability in organizations regardless of how much technology they have in place. According to Verizon, 22% click on phishing links in emails. In other words, if five of your employees receive a phishing attack email, one of them is probably going to click it. It only takes one click to cause a data breach.
Verizon opted to separate banking Trojan botnets out from the report on social attacks, leaving us with a list of top targets that are not all that surprising considering the functions of the industries, their general lack of security, and their siloed departments. The top three industries that suffered from social breaches were Public with 92 breaches, Healthcare with 62, and Education with 61.
The problem doesn’t just end with those that click on the links either. It turns out that only 17% of employees report seeing a phishing attack and almost none of those are the ones that were successfully phished. Timing is everything when it comes to a breach and with such a low report rate, an organization can have serious problems before they become aware of the problem. Especially when we consider the damages done by ransomware.
Of all the types of malware, ransomware is the most prolific. The popularity of this type of malware is easily explained. It is completely opportunistic. It can attack any home user personally, or it can attack an organization. It can be targetted to your specific organization as well. Due to the way ransomware works and the use of the dark web for anonymity of the server, and Bitcoin for anonymous transfer of money to pay to release the lock on files. There is no need to worry about how to monetize the data as there is with something like a credit card breach, people pay to decrypt their files. When the victim is an organization, it spreads through the network, increasing damages and therefore increasing the ransom demand.
Once a user clicks a malicious email link and gets infected, the ransomware moves laterally through the organization causing damage to more files and there has been an increase in servers and database targets being affected last year. Ransomware isn’t the only thing to worry about when it comes to malware, botnets can cost you plenty.
Botnets are responsible for 43,000 breaches where user credentials were stolen by the botnet. Additionally, botnets are difficult to detect and remove, Most remaining on the network for 100 days, and for some organizations without early detection and a team ready to combat the threat, they can stay on in your environment for 300 days or longer.
With about 92% of malware attacks coming through email, your employees need to be vigilant in their watch for suspicious activity.
Training is critical to help prevent and reduce response time to an attack or threat. Proper training of the end user as well as the responders can go along way to keeping the cost of a breach low. Training can come in several forms and you need to decide what methods will benefit your organization. Shades of Gray Security can help you by assessing your organizational needs and determining a proper program including training and effectiveness testing.