How to protect yourself against the 90% of cyber attacks caused by human error

Authored by NMU

Many businesses are under the impression that large companies are the primary targets for cyber-attacks, however this isn’t always the case

Following Computer Security Day, NMU are enforcing their commitment to educate by highlighting common weaknesses cyber criminal look for in computer security.

In 2018, an estimated 90% of cyber attacks were down to human error, but there are simple ways to help prevent potential security breaches; by making your workforce aware of the methods criminals are using and what to do when they spot something that doesn’t seem right, can go a long way to helping prevent attacks happening in the first place.

Here are three key areas to make staff aware of, to help protect your computer systems and keep them secure:

Phishing

E-mail attacks are one of the most common ways for criminals to gain access to your sensitive information or breach the company network, and in some cases, demand a ransom.  These types of attacks are commonly known as Phishing, Spear Phishing, Ransomware and CEO Fraud.  Phishing E-mails appear in different forms but will all contain at least one Hook:

Sender
Does the sender name or E-mail address appear to be a person or organisation you know, but are there spelling mistakes and an unusual email address?  If you do not know the sender, is the email address accurate, or does it appear to be made-up and created to imitate a genuine sender?

Subject
Is the subject line intriguing or too good to be true?  Has a compelling and captivating subject line been used to persuade you to open the E-mail?

Date and Time
Does the E-mail appear to be from someone you know but was sent at a suspicious time, for example, 02:14 in the morning?

Wording
Is the wording unfamiliar and not in the style you would expect the sender to write?  Are the choice of words and the way sentences are structured unusual?

Spelling
Does the E-mail contain spelling and grammatical errors?  However, be aware that not all Phishing E-mails have errors. Spear Phishing attacks are often crafted more professionally.

Urgency
Is the E-mail asking you to take immediate action?  For example, the E-mail may ask you to ’Click Here’ or send an urgent payment. Is the demand made with a sense of urgency, to trick you into acting?

Links
Is there a link in the E-mail and is it going to where it says?  Always check by hovering over the link to reveal the real destination.  If the destination is not what you are expecting do not click.  Always check all links!

Attachments
Is the E-mail asking you to open an attachment?  Attachments can install malware onto your machine.  Do not open attachments from suspicious E-mails.

When you spot a Hook, apply BAIT:

Beware – Always be vigilant when checking E-mails at work and at home

Analyse – Use the handy Hooks checklist to fully analyse the E-mail

Identify – If you identify a Hook do not act or click on the E-mail

Terminate – Delete the E-mail and/or report to your IT Department. Do not forward the E-mail.

Ransomware

​Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user. The software restricts access to the infected files and folders or sometimes to the whole computer system. It demands that the user pay a ransom to the malware operators to remove the restriction.

Ransomware typically propagates as a Trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service.

If you think your device has been infected:

1. Switch it off immediately
2. Inform your IT department immediately via phone

Passwords

Although it may seem obvious, change your passwords regularly, make them as difficult as possible to find or guess:

1. Never write your password down (except to store it in a specialised, secured and encrypted password container).
2. Never share your password with someone else (not even with your Manager/IT Service Desk etc).
3. Use a password for one single account only. Never use the same password for different accounts or 3rd party services. This includes not using your business account password for any other application or service. Always use a unique password, never reuse passwords.
4. Never use a password you can find in a dictionary. Do not use your user name or parts of your user name. Do not use your computer name or operating system name as a password.
5. Do not use a reproducible password schema to create your passwords. (e.g. consecutive numbering).
6. Use complex, long passwords (currently >11 characters is best) with special characters and numbers. Therefore, develop a personal passphrase schema to make complex passwords that are easy to remember.
7. Change passwords immediately if you get breached or think you have been breached.
8. Take care not to allow others to observe when typing in your password. This includes unlocking your smartphone.
9. Be focused when typing in your credentials on web forms; check the URL and make sure encryption is active before entering. Don’t let software cache/store your credentials.
10. Consider using a Password Container to follow most of these recommendations.

CyberSafe and breach response

Whilst the information and tips above can help prevent cyber attacks or data breaches, no business can be 100% certain that they won’t be the next target for a cyber criminal.

CyberSafe has been designed specifically to address the threats SMEs face and in the unfortunate event that they are targeted, integrated breach response from ReSecure helps to get businesses get back up and running as quickly as possible.

To speak to someone at NMU about Cyber insurance, CLICK HERE, leave a message and youTalk-insurance will pass your enquiry on.