I’ve been very interested in digital security for many years. It’s crucial for Acubiz that we’re a safe and reliable service provider and partner for our customers. That is why we never compromise on our customers’ data and digital security in general. IT security must be a major focus area for your company when you are in the market for a new SaaS supplier. Something that I wrote about some weeks ago. Acubiz’ internal IT security and our own behavior towards securing ourselves against criminal hackers is also a very big focus area for us. It should the same for you and that is what this blog post is all about.
We can install as many technical security measures (firewalls, antivirus, data encryption, backup) we want in order to prevent malicious attacks, but it’s crucial that there’s a strong security behavior and culture within the company. A single click from an employee on, for example, a phishing email can unfortunately result in a large number of unfortunate consequences for the company. Even though antivirus programs prevent something from happening most of the times, it’s inevitable that something will get through – just ask Mærsk, the National Bank, the Danish Defence or Bauhaus. Just to name a few.
My focus in this blog post is therefore on how we can state the importance of a strong internal security culture and what initiatives that can implemented.
Strengthened focus on digital security throughout October
October is national #cybersecurity month in Denmark. A month to help equip Danes for an everyday life with more and more digital threats. Information- and communication technology is an integral part of our everyday and working lives. IT criminals are well aware of this. Therefore, they try to access, and misuse, our data every day – both privately and professionally.
Human behavior is crucial to IT security. We can potentially be a vulnerability when it comes to security, but we’re also an essential bulwark against digital threats. IT security could be significantly increased if we can establish a strong internal security behavior and get closer to a knowledge of how we maximize compliance with good security advice. I definitely support the national #cybersecuritymonth and I want to urge for good security behavior to be maintained after the month.
At Acubiz, we work continuously to educate and remind our employees of good security behavior. I’ll get into how a little later. There are many aspects and topics to address within digital security, which is why I’ve limited the topic in this blog post to the most frequently experienced threat: Phishing.
The criminals preferred attack is phishing
64% of all Danes have experienced being exposed to phishing within the past year, according to the report “Danes’ Information Security 2020” (report in Danish) from the Danish Agency for Digitization. This makes phishing the most frequently encountered threat within digital security. Phishing is a type of cybercrime, in which criminals try to entice you to give them confidential information – most often through emails and text messages.
A large proportion of criminal hackers’ malicious software is installed via phishing – and this can cause both great damage and cost. Therefore, phishing is a significant security threat that needs to be acted upon. Phishing is typically used to:
- Get hold of usernames and passwords for internet services – such as email accounts, social media, and online shops
- Get hold of NEM ID and debit/credit card information
- Install malware on the victim’s device (activated if a recipient is clicking on a link)
- Get a foothold in an IT network for further hacking
It can be difficult to detect phishing emails, but they still have a number of characteristics. Many phishing attacks try to exploit emotions such as curiosity, worries and a desire to help. At the same time, criminals often use a topic that’s trending at the moment. Most often, the recipient will be encouraged to do something quickly – it’s usually “urgent”.
Now you also have to deal with spoofing
The latest form of phishing attack is called spoofing or spear phishing. They’re craftier as they’re targeted specific individuals. Phone number or email address is masked to a known person by the recipient. Information that criminals can find on either website or social media.
For example, a finance employee may risk receiving a spoofing email from a director, who are requesting an amount to be transferred to her/his account quickly due to some sort of urgent matter. The email seems to come from the director, as the email address seems to be correct and the email’s layout is similar to the company’s “normal” design. The email can also seem to come from partners, customers etc. It’s only the imagination that sets the limits.
We’ve become accustomed to the “classic” spam e-mails, but spoofing is much harder to recognize, as much more energy has been put into the design of the email – both textually and visually.
Help your employees avoid phishing
The purpose of this blog post isn’t to lecture on what phishing and spoofing are. Many people are well aware of this, but I really want to help putting digital security on the agenda – especially when it’s national #cybersecurity month. I want to share some of the initiatives that we use in Acubiz in order to establish and maintain a strong internal security culture- and behavior.
We shouldn’t be afraid of cyberattacks, but we must be observant, aware and ready to identify red flags. Because red flags are pretty much always present one way or another when it comes to phishing or spoofing.
An employee doesn’t necessarily has a good and favorable digital security behavior because the employee is observant. However, attention and observation is a really good place to start in order to try to comply with the recommendations for safe digital behavior.
Concrete messages to employees
In Acubiz we work continuously with attention and we often repeat our safety messages in all sorts of different ways. We have a GDPR handbook, we hold large meetings with security on the agenda, hang posters at different places in the office, quizzing with Kahoot, we regularly test our employees within phishing and much more.
The work is all about sharpening our critical sense and our gut feeling when each of us receive potential malicious emails. Some of the messages that we repeat again and again are:
- Never hand away sensitive personal information via email, SMS or call
- Think before you click on a direct link in e-mail or SMS – even if you know the sender
- Click only on a link when you’ve checked if the URL looks real and correct. It shouldn’t has a lot of irrelevant letters and numbers for example. Tip: check the URL by holding the cursor over the link
- Be aware if your colleague or boss asks for something unusual which is also “urgent”
- Never answer with the “reply” button if you suspect fraud. Start a new email instead.
- Update your PC. It’s basic IT security. Don’t wait to update – the update comes for a reason
- Change passwords often – they must be unique and different
- … and much more such as lock your screen, remember clean desk etc.
We’ve actually decided that we can’t send links to one another via email anymore. That should be done over Microsoft Teams instead. We don’t write “URGENT” or “Comments required” in the subject field. Some will say that we go with belts and braces, but we’re really just trying to avoid any security breaches from happening that way through.
the Danish Agency for Digitization’s report also points out, that people are more likely to comply with security recommendations if it is well communicated what they’re expected to do. This is why we communicate often and in different ways.
We practice every day
I’m proud of our initiatives and our way of working to establish a strong and safe security culture. We’ve come a long way. Are we at the finish line? No. Certainly not, but we’re getting better. The criminals are as well by the way and therefore we keep practicing.
I hope that you can find inspiration in some of our experiences and initiatives and use it to put digital security, regarding phishing and spoofing, on the agenda in your company.
