May 25, 2016

Are your employees your biggest enemies?

Peter Dahlberg

Sales Lead, Security, Tieto Security Services

A while ago, an employee of a news wire service Associated Press got the following email:

From: [An AP staffer]
Subject: News


Please read the following article, it’s very important:

 [A different AP staffer]
Associated Press
San Diego
mobile [removed]

The only thing making the message suspicious was the fact that the signature was other than the sender. The result: the recipient clicked the link. The attacker got hold of AP’s Twitter account and tweeted: “Breaking: Two Explosions in the White House and Barack Obama is injured." In just three minutes Dow Jones stock market index sank by 150 points.

The consequences of this attack were rather severe but the phishing email was nothing out of the ordinary. This kind of social engineering happens all the time, all over the world.

We at Tieto Security Services and our whole ecosystem work relentlessly to make security as easy as possible. But this doesn’t mean that ignorance should be allowed.

As we wrote earlier, there is no way around the fact that when it comes to defence against cyber threats, we people will always be the weakest link. As social beings we are all too admitting to social engineering and therefore need to remain aware of it happening all the time.

Social engineering might come your way in many forms:

- In person: physical encounters and access
- By phone: fishing for and verifying inside information
- Email: phishing etc.
- Social media: instant messages etc.

It is not just about being suspicious of messages from people you don’t know. It just might be that your ex-colleague's Twitter account has been corrupted and sending phishing messages to all followers. Not to mention “company internal” emails like in the AP case.

So being alert and thinking twice before clicking a link or opening an attachment is essential. It’s also crucial to remind your staff that everyone is a potential target. In cyber security, no one should think that they are not important enough: even if you don’t hold the security keys or passwords to key company assets, your accounts can be used as a spearhead to target other personnel.

Also, management shouldn’t overlook the importance of security culture. A common error is to assume that while phishing happens all the time, your organisation is up to dealing with it. However, even tech-savvy employees can fall victim because of momentary ignorance based on hurry, lack of concentration on the thing at hand or overconfidence.

To be successful in securing your company, you must start from building awareness in your organisation. Make sure that your staff is regularly trained to have up-to-date skills and knowledge of current security issues.

Do you know how to avoid ransomware attacks? Check out our latest white paper.

Stay up-to-date

Get all the latest blogs sent you now!