When putting a cybersecurity strategy in place, the emphasis for SMEs is often on tools and technologies that can deter hackers and prevent an attack from happening. These are certainly important, and while every security plan should include multiple layers of defense, those measures can quickly become redundant if staff aren’t being empowered to stay on top of new threats and embrace a ‘zero trust’ way of thinking – especially when you consider that human error still accounts for more than 80% of breaches.
But at a time when budget and resources are constrained, how can businesses ensure that training is effective? And what are some of the latest threats that employees should be made aware of in those sessions? Here, Richard Nelson outlines some of the latest tactics hackers are deploying, and the steps organizations can take to mitigate threats and prevent staff from feeling out of their depth.
Richard Nelson is a Senior Technical Consultant at technology company Probrand.
1. Cryptocurrency mining attacks
In recent months, we’ve seen a big increase in hackers exploiting a weakness in an organization's system to obtain access to their cloud infrastructure and illegally mine for crypto coins. The process of mining for coins requires huge computing power and hackers are breaking into accounts that businesses have with AWS, Google Cloud and Microsoft Azure for example, and hijacking their computing power to rack up huge bills. One of the reasons that cryptocurrency mining attacks are so successful is because hackers can do this virtually undetected, with many businesses only realizing they’ve been compromised when they receive an enormous bill at the end of the month.
To access the system, hackers will often target admin accounts. Those with info@ or admin type email addresses often don’t have the same defences and authentication measures in place as those of the financial director or CEO because they’re not seen as high risk enough. They’re also the type of accounts that multiple teams may need access to, and the annoyance of not being able to log into the account if a team member is on holiday means that measures like multi-factor authentication often aren’t put in place despite being simple to set up (all you need is a smartphone).
2. MFA fatigue attacks
Cybersecurity is all about implementing multiple defenses that act as a barrier should one fail. And yet for staff, these can sometimes feel an extra hurdle, a few extra clicks that makes the task they’re completing that bit longer. Multifactor authentication is one such measure that requires users to complete two or more steps – entering a password, as well as a one-time code (sent to a mobile device or email address) to verify a login attempt. In many cases, the natural instinct is to click on whatever push notification has appeared and approve it without much scrutiny in order to make it go away.
Hackers know this and are exploiting that behaviour to gain access to an account or device. The attacker will spam users and bombard them with push notifications that appear to be genuine but are in fact fraudulent. Employees accept because they’re either overwhelmed or distracted or think that it’s a glitch that means a verification code has accidentally been sent multiple times.
3. Don’t let a phishing attack hook you in
Phishing is not a new threat by any means but it does remain one of the most effective for hackers – of the 39% of UK businesses that reported a cyber-attack in 2022, phishing attempts were still the most common (83%). This sophisticated method targets senior executives and decision makers to access financial information such as credit card details, bank account numbers and passwords. Phishers will often try to gather some initial information about that employee or company to make it appear as though they are a trusted and recognized source. This includes creating identical email footers and logos, which hackers will often access by compromising your device – or the device of someone that you have emailed before.
One easy ‘win’ that can be flagged to staff in training is scrutinizing the address that an email has been sent from. These requests for sensitive information or monetary transfers are sent from what appears to be a recognized email address. However, when targeted recipients click on the email address to inspect it, they’ll often see that it’s completely different.
Putting a sender policy framework in place is a good way to help employees to validate incoming emails by checking that the domain comes from a host authorized by the same domain’s administrators – making it much more difficult for changes in email addresses to go unnoticed.
As well as keeping on top of new and unchanged threats, it’s important that any training session is delivered in a way that will be engaging and effective. One technique that can help to prepare employees for common exploits is running simulated attacks. This might involve sending spoof emails with dodgy links or push notifications for example, to see how employees react. This isn’t about catching people out – instead it helps you to pinpoint any weak spots, which is an effective way to identify the areas where employees may need additional support.
It’s also important to include the leadership team in these sessions – and to ensure that they are dedicating time to some of the practical aspects involved. All heads of departments should sit down regularly and play out a scenario that looks at what happens if the worst happens, and you’re subject to a breach. Where are the numbers saved that you need to call? What do you instruct staff to do? What does customer communication look like? Much like a fire drill, this ensures that you can minimize the damage.
For smaller businesses, it may seem difficult to justify investment in security defences and training for an attack that hasn’t yet happened. But the alternative is much more devastating. By empowering staff to embrace a ‘zero trust’ mindset – one where a breach is assumed – businesses can create a culture that is prevention, not cure.
