One of the findings in Verizon’s most recent Data Breach Report is that stolen credentials are the root cause of data breaches 80% of the time. The most common attack vector of cyber criminals for stealing user credentials is phishing: A targeted campaign of e-mails designed to fool users into surrendering their network login credentials or opening malicious software. These e-mails simulate legitimate communications that users sometimes see including password resets, surveys, and Excel attachments. Once a user opens a malicious attachment or enters their credentials, the network has most likely been compromised.
While most e-mail filters are very adept at catching these and deleting them prior to reaching a recipient’s inbox, some still make it through. Cyber thieves are continuously honing their tactics and e-mail structure to appear authentic and trick e-mail filters into believing they are real. Once a malicious e-mail reaches a recipient’s inbox, they are one of the last lines of defense.
Many organizations do not have a cybersecurity awareness program in place to ensure that employees and contractors are educated about cybersecurity threats, their role in preventing attacks, and how to recognize a malicious e-mail. Most also do not have measurable data about employee diligence when confronted by a phishing campaign. These two elements are essential to an effective cybersecurity strategy but are often overlooked in preference of traditional preventative security measures (firewalls, anti-virus, vulnerability scans, etc.). Preventative measures, however, can only go so far: Once those layers of defense have been breached (especially by a phishing campaign), employee diligence is all that stands between the hacker and your network.
We highly recommend that organizations perform employee and contractor cybersecurity awareness training, both as part of onboarding and on an annual basis. Additionally, periodic phishing simulations should be performed to assess employee diligence and to further educate them on the risks of opening suspicious e-mails. Schneider Downs offers both of these services and has found them to be highly effective in reducing (or eliminating) malicious e-mail infections. Prior to training we find that users open targeted phishing e-mails at a rate of 15% or greater. Once users have been trained that rate drops to almost zero.
Our technology professionals can help you craft a cybersecurity awareness training program (and deliver it if desired) and assess the security posture of your organization through phishing campaign simulations and network security assessments. Such efforts will go a long way in preventing data breaches. For more information on how to properly manage cybersecurity risks and network security, please contact Chris Debo of Schneider Downs by phone at 614-586-7108.