Petya and cybercrime: don’t learn the hard way with phishing emails
There are some hard lessons to be learnt by falling for phishing emails, but they can be avoided by putting some basic measures in place, explains Stephen Burke, CEO of Enterprise Ireland company, Cyber Risk Aware…
FX-MM caught up with Cyber Risk Aware (an Enterprise Ireland company) in the wake of the recent Petya ransomware attack to find out what firms can do to ensure their systems remain as safe as possible.
How can organisations get ahead of the hackers in terms of knowing where their systems are vulnerable? For example, if cyber attackers know which versions of operating systems leave networks vulnerable, why don’t organisations also have that knowledge?
There are several ways in which a company can understand the vulnerabilities that exist in their environment. Vulnerability Assessment is a common approach, whereby internal IT or security teams regularly scan their internal network (monthly) to identify if any known vulnerabilities exist in their applications or systems so they can then be patched. Tools such as Nessus, Qualys and others are relatively inexpensive and easy to setup.
Companies should also scan their public facing network points, but it is strongly advised they get a specialist security company to conduct an annual network penetration test to see if they can find any weaknesses which could be exploited and provide remote network access to cyber criminals. These are well known activities, and companies who don’t employ these activities are taking a very big risk and will not be in a defensible position if asked to respond to tough questions after a security incident occurs.
How can organisations close the knowledge gap between themselves and attackers?
IT security teams need to be seen as providing a helping hand to staff. This can be achieved in a number of ways, such as using a think tank approach to create a security awareness culture in a company. It can also regularly deliver simulated phishing emails and provide practical and brief security awareness content that is useful both at home and in the workplace.
A think tank approach means that not only should the IT security team be talking about and promoting IT security across the company, but every department and employee should consider security in all that they do. This can include being in a team meeting talking about how to send and receive data from a third party, or whilst working on a new development project.
In terms of a security awareness training campaign, the content of this should offer practical tips for staff on how to detect phishing emails, protect data and create strong passwords, as well as use social media and the internet safely.
To what extent is an organisation’s vulnerability to cyberattacks down to complacency? A recent survey showed that UK firms may be overconfident in their cybersecurity measures.
Organisations whose credentials are highly sought after by cybercriminals should be employing very strict passwords and using two factor authentication. This, however, is sometimes not achieved due to the perception that it impacts on the ability to complete the daily tasks of the business. Many staff believe that it is not their responsibility to ensure that safety measures are in place, or that their anti-virus programs and firewalls offer them sufficient protection.
This fosters a climate where opening phishing emails and clicking on suspect links or attachments becomes the norm. C-Suite workers can also cause difficulties by putting pressure on staff to permit access to websites or by storing sensitive data on a laptop with no encryption/backup.
How can organisations instil honesty and responsibility in staff when it comes to being cautious with phishing emails?
It is very important that security teams run monthly mock phishing tests on their staff to measure their susceptibility to phishing techniques. They can also provide an easy to use mechanism for staff to report actual or suspected emails to the security team and track the results. Staff should then be acknowledged for having done this. Equally important, though, is for members of staff to be given instant feedback if they do fail these tests, and to be provided with tips on how to spot phishing attacks and what their overall effect on an organisation is. We have seen this as having a deterrent effect, with a 20% reduction in risk first time round.
The first half of 2017 has seen two major ransomware attacks – will the threat continue to grow in the remainder of the year?
Recent cyberattacks, such as those instigated by North Korea against multinational conglomerate Sony, have shown that this is a problem not just among organisations, but also governments and countries. Ransomware attacks are indeed expected to quadruple this year as they are so lucrative for cybercriminals. Malware is increasingly being used as a service in what are known as ‘Crimepacks’. They are incredibly difficult to track down and organisations should remain vigilant over the coming years.