For any business computer connected to the Internet, it’s not a matter of if but when it will come under attack. Cyber attacks today cost companies an average of $2.6 million per incident! The silver lining of these recent breaches is that businesses are starting to realize that they can’t afford to ignore security. But, incorporating cybersecurity as a priority into an organization’s everyday practices requires a cultural shift. A culture of cybersecurity develops from an awareness invoked by education.
A big topic of discussion among cybersecurity experts at the recent PCI Security Standards Council Payment Security Forum in Vancouver was that phishing and social engineering attacks are increasingly at the heart of today’s most serious cyber hacks, which put businesses and consumers at risk. In fact, every day 80,000 people fall victim to phishing scams from 156 million phishing emails sent globally ‒ 16 million of which circumvent spam filters ‒ resulting in 8 million scam emails being opened. Cybercriminals target organizations using specially crafted, seemingly legitimate-looking emails and social media messages designed to trick employees into providing confidential data that can be used for fraud. Thirteen percent of the annual cybercrime cost globally for companies is due to phishing and social engineering.
The good news is that with a few security basics and ongoing vigilance, businesses can be aware and defend against these attacks. According to Ponemon, training that helps employees spot phishing attacks and other related threats could help cut down costs by nearly $2 million! Let’s look at a few key tips on protecting against social engineering attacks that should be part of your business’ cybersecurity culture.
Attackers love to send phony emails with attachments containing malicious software that infect your computer systems. Reduce unwanted email traffic by installing and maintaining basic security protections, including firewalls, antivirus software and email filters.
Train employees and users on email and browser security best practices, including these key tips:
- Resist the urge to click links in a suspicious email – visit websites directly.
- Be cautious of email attachments from unknown sources. Additionally, many viruses can fake sender addresses, so even if a message looks like it’s from someone you know, be wary about opening any attachments.
Website and Software Security
Hackers often browse websites where users voluntarily or involuntarily trigger vulnerabilities in Flash and Java that open them up to attack. In fact, 99.9 percent of data breaches reported by Verizon last year resulted from hackers exploiting bugs like these that had fixable patches for at least a year.
Use basic security tools that block malicious intruders and alert you to suspicious activity, including firewalls and antivirus, malware and spyware detection software. Regularly check that web browsers and security software have the latest security patches and updates.
Train employees and anyone who uses a computer on website and browser security best practices, including these key tips:
- Only install approved applications.
- Be sure you’re at the right website when downloading software or an upgrade. Even when using a trusted site, double-check the URL before downloading to make sure you haven’t been directed to a different site.
- Recognize the signs that your computer is affected, and contact IT if you believe you have been the victim of an incident.
“Password1” was the most common password used by businesses in 2014. Criminals prey on weak credentials to break into a system by using unauthorized usernames and passwords.
To protect against this type of hack, businesses and employees can follow these steps to practice good password hygiene:
- Change the passwords on computers and point-of-sale systems (including operating systems, security software, payment software, servers, modems and routers) from the default ones the products came with to passwords that are easy for you to remember but difficult to guess. Long, strong passwords incorporate upper- and lowercase letters, numbers and symbols and should consist of “passphrases.”
- Update system passwords regularly and especially after outside contractors do hardware, software or point-of-sale system installations or upgrades.
- Educate employees and users on choosing strong passwords and changing them frequently.
- Use two-factor authentication. Many of these attacks rely on getting a password one way or another. Requiring another form of ID, such as a security token, will make it harder for hackers to falsify an account.
Shifting to a culture of cybersecurity does require a change to how you do business-as-usual. The change starts with awareness and education – prioritizing email, website and password security is a good place to start. Check out and share this quick resource guide on Defending Against Phishing & Social Engineering Attacks. For more information on how to make security an ongoing priority for your business with the Payment Card Industry (PCI), Data Security Standard (DSS) and other PCI Council resources, visit pcisecuritystandards.org.
About the Author
Laura Johnson executes integrated communications strategies that inform, educate and help PCI Security Standards Council stakeholders take advantage of PCI SSC programs, resources, research and initiatives. Her background includes more than 12 years of global communications and public relations client-side and agency experience in information technology, research and public policy. Ms. Johnson is a graduate of Gordon College and the Institute on Political Journalism.