According to the KnowBe4 blog, the Dutch Tax Administration has reported that 150,000 social engineering attacks were recorded from January to November 2020. This is four times more than in the whole of 2019. The Dutch Fraudehelpdesk initiative, which helps victims of phishing attacks, estimated the number of all attacks in 2020 will be at least twice as many as in 2019. Based on these data, hackers can be described as war profiteers during the COVID-19 epidemic.
Diverse work environments and data dispersion are a lure for attackers
What factors make hackers vigorously prepare new attacks and direct them to a growing circle of people? They can be divided into three main segments.
Working in diverse environments …
… in the office, at home, in holiday homes, maybe even somewhere else. The working environments in the office and at home differ significantly in terms of infrastructure. We dare say that the vast majority of households do not have as strong security measures in their home network as business networks do.
In the business environment, we use dedicated devices and data protection policies to ensure that both users and data in the network are adequately protected, we block certain online services, etc. In the home network, users have access to a wider and more open range of services. They may not even be aware of the difference, as in the office they are already protected from the pitfalls of various plug-ins and executable codes by system equipment. In another environment, they may install malware on the computer being completely unaware of it.
Dispersion of data on different devices …
… on a computer, laptop, tablet, and phone. Switching between locations usually also means using several different devices. In addition, private devices are often used for business purposes or vice versa. Why? Because other family members may use these same devices for their work (e.g. children use their parents’ devices for school work during distance learning), which can lead to inadvertent disclosure of data or the installation of malicious software on work devices. Furthermore, we should not ignore the fact that some users may also have a “far from the eye, far from the heart” mindset – if the CISO does not see what I’m doing, I may be breaking the rules a bit.
Different use of mental capacities during working hours …
… reconciling work and private life while working from home. Overwork and dispersal of our thoughts on (too) many different activities can easily lead us to negligence in recognizing online attacks. While coordinating work at home, preparing lunch, and perhaps even taking care of schooling and childcare, we read a message too quickly and click on a link we should not have.
All of the above supports the claim that the users are the easiest target of hackers. So how can an administrator or information security manager in an organization make sure that the users recognize online scams and behave responsibly, no matter where and how they work? And that the data will be secure both in the business network and in the private networks of the employees?
The key to success is security awareness training
Why naming it training and not simply a course or education? Because it is a process that does not end after a week or two; it lasts all the time the user is active online.
Hackers follow the development of the newest technologies and services and adapt their attacks by breaking the latest security updates and reaching the easiest target – the user. They are coming up with new ways to get him to “fall for the feint”. That is why we have to educate users all the time. Just like athletes have to train continously if they want to stay in top form. If Ilka Štuhec had stopped training when she won the first medal in the World Cup, she certainly would not have won the second one and many more. Competitors would “run over” her. And in more recreational waters… if you want to run 10 km, you will find it difficult to reach your goal if you go to a nearby hill twice a month. It is important to train regularly and respond to changes in the environment.
As users of information technology, we are obliged to monitor events on our devices with our eyes wide open and respond to any unusual events. However, since in real life there is often a saying that we learn from mistakes, it is best to create simulated unusual events to accumulate mistakes when talking about training in cyber security. When training, the users will “fall for the feint” when it is not really harmful. However, when faced with a real attack, they will know how to respond properly.
A real pentester and a virtual phisherman for an efficient training
How should a company approach such training? With a comprehensive solution that includes:
- initial review and assessment of the situation by an expert – a real (white) hacker,
- conducting security awareness workshops for users,
- regular implementation of social engineering simulations with a dedicated tool – a virtual phisherman – at least once a month,
- monitoring the results and making analyses,
- periodic (e.g. quarterly) counseling and if applicable also
- conducting focused workshops according to the needs of the organization.
Such an approach to user awareness enables continuous employee development. Because users experience a (simulated) phishing attack themselves, they become much more cautious in their actions online in their private life. Consequently, they transfer the new knowledge and experience to others, and in the long run creates a more cyber-aware society.
Due to the lack of experienced pentesters who could perform monthly simulations of attacks on clients, which would also be too expensive, Carbonsec recognized a good partner in KnowBe4 and their security awareness training tool. The tool enables a variety of social engineering attacks and transforms the user into a real “walking” firewall. The partnership with KnowBe4We also gives us the opportunity to implement and realise our idea of human-machine cooperation. This approach lifts the cyber security of users – our customers – to the highest level.
KnowBe4 and competitive solutions
We know that the tool we believe in is not the cheapest on the market. However, we are convinced that it is the best. We are often asked why we chose KnowBe4, while there are other open source or even software-embedded solutions that also perform simulated fishing attacks.
We recognized KnowBe4 as the best and perfect solution because it:
- contains the largest content base for simulated attacks,
- enables advanced analytics and monitoring of progress in terms of user resistance (how phish-prone they are),
- according to the manufacturer, the installation of the tool is twice as fast as with competing solutions,
- the tool is designed in a way that there is almost no interference with the employee’s work process, while at the same time it provides measurable results,
- includes customer support.
The first step in a holistic approach to user awareness can be done by you yourself. Find out more about user awareness programs on our website.
We will be happy to provide more information about our – we are just a click away.