When spear-phishing and ransomware get into the mainstream media perhaps people across the country will take awareness training more seriously.
That’s the hope after CBC News reported this morning that Canadian companies are victims of an increasing number of sophisticated cyber scams. There are no numbers cited, in part because no central agency collects reports from police and financial institutions. And due to under-reporting authorities probably don’t know the half of it.
CBC quoted an unidentified woman who worked for an investment company falling for the scam of an email purportedly from a co-worker with a voicemail attachment. The attachment was ransomware that froze her computer and demanded $600 or files would be destroyed. Presumably the files weren’t backed up because the company paid.
There are two vital lessons in all this: First, victim organizations shouldn’t have to pay extortion if they have proper backup procedures. That means CISOs have to understand their organization’s business processes to see which people and systems are vulnerable. Second, all employees need regular awareness training to treat email as if it is a hot stove — use it, but slowly.
Staff — particularly those in IT and sensitive managerial positions where they have the authority alone to forward money without a counter-signature — have to understand email and voice communications have to be examined carefully before opening attachments or following instructions. This means regular — more than once a year — awareness training.
Want to get an early start? Earlier in the year Intel Security circulated this quiz, which should be passed around to help people learning what to look for an whether their skills are up to the task. The graphic below offers some pointers, and below that are eight do’s and don’ts.
– Keep your security software and browsers up to date
– Hover over links to identify obvious fakes
– Take your time and inspect e-mails for obvious red flags (i.e. misspelled words, incorrect URL domains, unprofessional and suspicious visuals)
– Instead of clicking on a link provided in an e-mail, visit the website of the company that allegedly sent the e-mail
– Click on any links in an e-mail sent from unknown or suspicious senders
– Send an e-mail that looks suspicious to friends or family as this could spread a phishing attack to unsuspecting loved ones
– Download content that your browser or security software alerts you may be malicious
– Give away personal information like your credit card number, home address, or social security number, to a site or e-mail address you think may be suspicious