Are you in the 25%In August of 2018, a company named MediaPRO published a report entitled 2018 State of Privacy and Security Awareness Report. This was their third year doing a study on security awareness across various industries. The study involved 1,024 employees and rated them as either RISK, NOVICE, or HERO based on how well they were able to identify security issues. The sad news from this study was 2018 results were worse than 2017 results. 75% were rated RISK or NOVICE, which meant that these employees were prone to behavior that put their companies at risk. Some other bullet points:Finance sector employees performed the worst.Management level and above showed riskier behaviors than lower level employees.26% made poor decisions involving social media. ( e.g. sharing details of an unreleased product or other company confidential information)14% could not recognize phishing emails.Let's examine these points and see why they are worth some attention.Finance sector employees performed the worst. Finance is where the money is, so that is of special interest to crooks. If your employees handle money for your business, they are targets for scams, phishing, and other attacks. Do they know how to identify bad emails? Do they know what to do if they suspect they have been compromised? Statistics indicate that this needs some work, especially for this business sector.Management level and above showed riskier behaviors than lower level employees. This is troubling because these people are typically able to access larger amounts of money and are usually the ones that can authorize wire transfers. Business Email Compromise (BEC) attacks are harder to recognize and thus are more effective and more expensive when successful. These employees are usually responsible for training lower level employees and thus may be teaching bad habits or not training at all. Either option is bad.26% made poor decisions involving social media. This article points out that 1 in 5 businesses with an active social media presence has been infected in some fashion. There are a variety of risks from social media attacks but since social media is such an integral part of many people's lives, they aren't looking at it as a threat vector. Exposing personal information is an issue as it allows more effective phishing attacks but it can also be damaging to the business. Revealing company confidential information could result in financial loss to the company or even violate the law. At the very least it could reveal information that phishers could use to more effectively attack the company. Do you have a policy that provides guidance on social media posts?14% could not recognize phishing emails. This should speak for itself. 14 % is not a large number but if only one person opens an email with ransomware you have a big problem. Phishing emails used to be clumsy affairs that only the most gullible would fall for. When I do security awareness training we always go over how to look at the URL for the link to see if it is questionable or not. For example, https://server.microsoft-com.ru is not a link you want to click on. But what about https://1drive6e1lj8tcmteh5m.z6.web.core.windows.net/? Is windows(dot)net a valid domain? Actually, it is but you can't trust it not to be malicious. This article outlines how phishers are using Azure servers to host landing pages that are fraudulent. Unfortunately, this tactic gives them a valid domain (windows.net) and even a valid Microsoft certificate (thus the https:// ). This makes it very difficult to decide on the validity of the web page solely by URL or certificate. The user would have to know what the real domain should be (outlook.com; live.com; Microsoft.com) and this requires training.As you can see, getting to be a HERO when it comes to security can be challenging. Users will seldom get there without training and the consequences of them being NOVICE or RISK level users can be disastrous for your company. There are a lot of bad actors out there just looking for a way to get some easy money. Don't contribute to their cause.
