Say goodbye to the weakest link in cyber security
While most businesses invest considerable time, effort and money on technologies designed to protect their networks and systems against cyber attacks, the weakest link in the security equation – every employee with access to the network – is frequently neglected.
That’s the view of Tanya Oosthuizen, CEO at telecommunications service provider VL Telecom, who points out that cyber criminals continuously exploit basic human frailties in sophisticated social engineering attacks that are designed to give them access to corporate data and networks.
And the problem is particularly acute in South Africa.
The 2021 Mimecast State of Email Security Report, based on a survey conducted in February and March this year, of 1 225 IT and cyber security professionals from 10 countries including South Africa, revealed that e-mail threats had increased by 64% in the past year. In addition, since the onset of the coronavirus pandemic, employees have been clicking on three times as many malicious e-mails as they had before.
Of the South African respondents, more than half (52%) viewed the lack of cyber sophistication among employees as a major threat to their companies’ security, compared with 43% globally. However, only 46% reported having conducted cyber security awareness training of their employees and those that had, had done so only sporadically.
According to Oosthuizen, there are many different types of e-mail-based attacks, the most common of which is phishing – targeted e-mails that trick employees into clicking on a malicious link or attachment.
While many phishing attacks are fairly crude, a growing proportion are extremely sophisticated, often involving ‘spoof’ mails which make use of a company’s brand so as to deceive recipients not only to open malicious links and attachments, but also possibly fool them into revealing their log-in credentials.
“Unaware and untrained employees are the weakest link in any cyber security set-up. The only way to defend against attacks that target employees is to train them to always think first before clicking on any link or attachment, regardless of how innocuous it may seem. Effectively, companies need to turn their employees into a human firewall,” she explains.
However, according to Oosthuizen, this is easier said than done. Developing and implementing a sound security policy; providing employees with information about the dangers of phishing, spoof and other malicious e-mails; and constantly reinforcing the message with posters and other display materials will help but will not go far enough.
“Cyber criminals are becoming increasingly sophisticated. Employees need hands-on exposure to the kinds of scams they could fall prey to. They need to learn from their mistakes – but in a safe and non-judgmental environment,” she adds.
VL Telecom has partnered with KnowBe4, one of the world’s largest and most popular security awareness training providers, to offer integrated security awareness training to organisations across the Middle East and Africa, including South Africa. Training materials are available in 34 languages including English, French, Portuguese, Swahili, Arabic and Hebrew.
“It’s important to know just how effective any training provided is. For this reason, we recommend that organisations start with baseline testing using simulated phishing, vishing (voice phishing) and smishing (SMS phishing) to assess just how phish-prone employees are. Then, once users have been trained, the assessment can be repeated to evaluate their progress,” Oosthuizen says.
The training itself draws on the world’s largest library of security awareness training content, including five-, 15-, 25- and 45-minute interactive modules, videos and games, as well as posters and newsletters.
In addition, employees are exposed to automated, simulated phishing, vishing and smishing attacks that can be tailored for the organisation’s specific environment. These phishing security tests can be scheduled at regular intervals to keep employees on their toes. A phish alert button can also be integrated into the organisation’s e-mail program so that employees can quickly and easily log suspicious e-mails.
“The training platform also delivers executive and enterprise-strength reporting to give visibility into the organisation’s security awareness performance along with the ability to identify risk at the individual employee, group and organisational level. This enables organisations to make data-driven decisions about their entire security awareness plan,” Oosthuizen concludes.