Special feature from SOFTimpact Ltd, JLT’s Cyber Consortium Partner
People who have attended one of our many international presentations on maritime cyber security will have heard us talk about the “Human Element”, and demo weaknesses in commonly used technologies such as email, Wifi and USB. Email phishing attacks are on the rise and could compromise your company.
STAFF ARE THE WEAKEST PART OF YOUR SECURITY
Thinking back to medieval times, key members of communities would live in secure structures like castles. These safe-havens would provide protection in times of uncertainty and against potential attack. A castle, by design, was a difficult structure to penetrate. Even with large numbers it would be a significant challenge to breach the walls and gain entry.
A far easier way of gaining entry would be to find an individual already on the inside or with access who might be persuaded or bribed to open the gate. In this way you would save time, effort and resources.
Apply this to cyber security – today we have advanced firewalls which are complex, updated and very hard to penetrate. To that end, why would a hacker continually attack them? By targeting employees instead, they have a much softer, easier target. This target might already have access to the data they are interested in and are more likely to be able to provide them with an entrance.
The majority of employees these days have corporate email accounts. These employees are receiving an ever increasing volume of emails from a variety of sources such as suppliers, customers, mailing lists and other legitimate sources. This has led to inbox “overload”, with employees answering emails as quickly as possible, skimming the contents and clicking links to access systems or the latest news.
The hackers are aware of this “overload” resulting in an increasing number of phishing attacks. These attacks see hackers sending emails to employees formatted and disguised to look like those coming from legitimate sources. The end result is to trick employees into clicking or giving away system login credentials.
ONE CLICK TO BANKRUPTCY
Did you know that once a phishing email gets to your employee, simply opening it in some cases is enough to infect your system? Clicking on an “infected” link in an email can give full access to that PC, bypassing a corporate firewall and allowing a hacker not only access to that machine but potentially every other system. This could go as far as to include other PCs, servers, databases, files/folders and confidential data stored on that network, all through a technique known as “pivoting”.
CAN TECHNOLOGY SOLVE THE PROBLEM?
If setup correctly, today’s firewalls can stop many spam and virus emails. However, email itself was designed simply as a functioning system – detailed thought was not given with regard to the security issues that have developed from the internet. It has become increasingly easy to bypass such security, resulting in an increased risk of ‘hostile’ emails being opened on employees’ desktops.
EDUCATION AND KNOWING WHAT TO LOOK FOR
Since technology alone cannot protect your company, your next best defence is to ensure your employees are “cyber aware” and know what to look for when they receive such emails – not to click on links or open emails from unknown sources.
This can be done via many methods including video training, interactive classroom based sessions, placing awareness posters in key locations around the building and periodically sending out relevant information on threats to your company.
When it comes to knowing your current cyber awareness level a good way is to test your company using “simulated” phishing attacks. This simulates what the “bad” guys would do but without the damage or affects.
PHISHING SIMULATION - FREE TRIAL
SOFTimpact has created a maritime phishing simulation service which allows your company to proactively test its employee’s behaviour, by sending carefully crafted emails on a regular basis.
By focusing the service only on maritime, all the emails and websites linked to these are formulated to look and feel the same as legitimate maritime sites.
Once a campaign is completed you will receive a report detailing who opened an email, clicked a link and even who provided usernames and passwords.
This allows retraining of those employees, to ensure they continue to work on keeping your company secure.
Download Cyber Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org