Cybersecurity: The importance of educating your workforce

Educating your workforce about cybersecurity isn’t always easy as the landscape is constantly changing. However, you don’t need to be an expert to know what some of the common threats are and how to help your employees avoid them…

What is the biggest flaw in cybersecurity?

When it comes to cybersecurity, your biggest vulnerability isn’t your technology, it’s your people. In 2019, 90% of data breaches were caused by user error. That’s means for every 1000 data breaches, up to 900 of them could have been prevented if sufficient education was implemented beforehand. This includes being able to identify instances of social engineering, such as phishing.

In 2021, the ICO (Information Commissioners Office) recorded 2,697 reports of Cyber Security breaches. That’s an increase of 14.5% from 2020, which recorded 2,353 breaches. It was found that phishing was the primary cause of these breaches, making up 36% of all recorded attacks. To add some perspective to this, in 2017 there were only 222 reports of breaches caused by phishing – that’s a 336% increase in under 5 years.

As phishing attacks rely on people interacting with malicious links and files, these statistics show that lack of awareness is a top contributor when it comes to cyberattacks. In fact, some of the biggest breaches in the past two decades were a direct result of human error.

Yahoo data breach | 2014

In 2014, hackers obtained data from over 500 million Yahoo accounts. This data breach included account names, email addresses, passwords, telephone numbers and even dates of birth. All these details can help hackers break into the other accounts that users may have with other services, including online banking. So, how did this happen?

Yahoo’s biggest vulnerabilities were their poor security practices and the lack of encryption. Access to their systems was gained through a single phishing scheme that targeted unsuspecting users. As a result, it only took one employee, clicking one suspicious link, to let one hacker into their systems. That’s right, it only took one lapse of concentration to compromise 500 million accounts!

Since this famous attack, many businesses have taken the lesson onboard and invested in protecting against social engineering and brute force attacks. This also led to huge increase in staff training as an effort to drastically increase cyber awareness.

Marriott Hotels data breach | 2014

Like Yahoo, Marriott also experienced a large data breach in 2014. However, this breach wasn’t discovered until 2018 when an internal security tool caught an attempt to access the internal reservation database; a request that it deemed suspicious. This security alert kickstarted an investigation that uncovered the cause of the breach… a phishing attack.

It was concluded that when Marriott had acquired the hotel group Starwood, they had gained a compromised system. The Starwood locations had not migrated over to Marriott’s systems and were still using legacy equipment, leaving them vulnerable.

Hackers managed to infiltrate the Starwood systems through email spoofing and phishing. When a user clicked on a malicious link, malware was installed onto their system, and at some stage during the acquisition of Starwood, this malware was able to move laterally over to Marriott’s network.

Google and Facebook attack | 2013-2015

Google and Facebook experienced breaches between 2013 and 2015, costing both companies over $100 million combined. It was one of the biggest, if not the biggest, social engineering attacks publicly recorded, and it was all executed by one man, Evaldas Rimasauskas.

Rimasauskas managed to attack these tech giants by setting up a fake company and posing as a computer manufacturer that worked with Facebook and Google. He even went to the length of setting up bank accounts for these hoax ‘companies’.

Once he and his team had their system setup, they used phishing techniques that targeted specific employees working for both companies. These emails contained invoices for fake goods and services that Rimasauskas’ company had provided. The emails directed the employees to deposit payments into the bank accounts that he had set up. They operated this scam for almost two whole years, extracting money from Google and Facebook via employees that could not identify inbound cyber threats.

If you need a hand with educating your employees, then our cybersecurity experts are here and available to get you started. We’re Cyber Essentials and ISO 27001 certified, so you can rest knowing that we know what talking about when it comes to keeping businesses safe.

Alongside our experts and certifications, we offer a range of IT security products that could help you educate your workforce and protect your business. For example, our Barracuda Phishline product provides training, identifies threats and simulates real phishing emails, allowing you to monitor employee awareness and tailor training programs to meet their individual needs.

For a free cybersecurity consultation, please don’t hesitate to call, email or start a live chat with us – we’ll help you protect your business and keep your employees cyber-safe!