You know how the story goes...
Two guys are out hiking in the forest when they notice that a bear begins charging at them. One of the guys pulls off his heavy hiking boots and begins tying on a pair of running shoes.
The other guy looks at him and says, “Don’t be silly, you’re not going to be able to outrun that bear!”
His friend looks back at him and says “I don’t have to be faster than the bear, I just have to be faster than you…”
This joke illustrates an important concept in information security. While there’s almost no way to be completely invulnerable to cybercrime, if you make it difficult enough for the criminals then they’re likely to move on to an easier target.
Your number one most vulnerable resource in your organization is almost certainly your people. According to the 2018 Verizon Data Breach report, 91% of attacks were initiated with an email. Protecting your mail system and training your users to recognize potential threats will save your organization lots of time and stress.
Criminals no longer spam hundreds of thousands of email addresses with a message in broken English about their brother, a deceased scion of some wealth organization, who needs to find a place to put his money. The bad guys are doing their homework. They research your organization and its members on social media, websites, and even over the phone or in person. By the time they put together a crafted message to principals within your company, they’ve taken the time to put together a very believable message.
Recognizing and ignoring (or better yet, reporting) potentially malicious emails may be the most important skill you can give your employees, and it may be the last thing that saves you from a breach. Phishing messages today may have malicious attachments or malicious links instructing you to call a tech support number. They might do a very good job of pretending to be an important person inside your company like the CEO or CFO in order to get you to initiate a wire transfer of funds.
As an information security engineer, I’ve seen lots of phishing and malicious email examples. In some cases, I can’t believe someone would fall for them, and in other cases, I have to spend a few minutes digging around in order to figure out how not to fall for them myself.
Written by Jeff Murphy, Security Engineer