Building a human firewall —an essential weapon in your arsenal
In a world where more and more aspects of our professional and personal lives are moving to the online space, it's not enough to say that cybersecurity is important, we need to take a close look at individual aspects of our cyber defences.
Companies of all sizes, as well as cybersecurity providers are in a constant race with cybercriminals: as one develops new solutions, the other improves their techniques, and new threats arise. Our aim is to help companies to overcome these challenges.
The cybersecurity solutions required by organisations (with scores of users and multiple devices for each user) may roughly be sorted into the technical, which is a vast and varied category, and the personal, which are solutions that address mistakes users can and do make. As necessary as securing systems is, neglecting the human element can leave organisations open to attacks that target users directly.
The Achilles’ heel of all security systems is the human element, and who is in a better position to help over 37,000 companies worldwide but The World's Most Wanted Hacker? Kevin Mitnick incorporated his own social engineering tactics in the design of KnowBe4’s New-school security awareness training.
At NewPush we see the system developed by KnowBe4 as the perfect complement to our Connective Platform™: IT Security and Compliance dashboards driving targeted training are enhancing cybersecurity and identifying risk. Thanks to our unique integration approach, our Connective Platform™ is strengthening the KnowBe4 system to provide analysis and functionality that is otherwise unavailable.
SMiShing in troubled waters
The trends of increasing numbers of connected devices and more people working remotely necessarily engender more sophisticated techniques from bad actors intent on breaching the defences protecting those devices and people. Just one example from many is Phishing via text messages, also known as Smishing. This is a type of social engineering attack that relies on and exploits people's trust, circumventing technical safeguards. Smishing is an effective means of attack for the same reason SMS marketing is effective: 98% of text messages are read as opposed to 21.33% of emails. Once it's got the user's attention, the scam is already miles ahead of the email-based variety. Response rates are also higher; SMS messages elicit a reaction 45% of the time, as opposed to email's 8%.
As a form of Phishing, these texts will contain a link of some sort, but as an added security risk, the sender of the text is not authenticated beyond the attached phone number, and even that can be manipulated. Cybercriminals often use one of two general methods when going Smishing.
- Malware—the URL in the text might trick users into downloading malicious software masquerading as a legitimate app. Once the software is installed, it might ask the user for all kinds of permissions, start sending their personal data, and take over their phone.
- Phishing site—just like in the case of emails, the link could also lead to a site that tricks the user into giving away their username, personal information, or access to systems, Sites like these are designed to look just like reputable ones belonging to banks, service providers, or the users' own organisations'.
KnowBe4 has been warning users about Smishing and its coming rise for years; their knowledge of the deep, which they integrated into their training, is both extensive and up-to-date.
Smishing is just another form of phishing. Scammers are hugely motivated to innovate as well as pursue existing tactics.
Users are catching on to COVID-19 phishing tactics
Thanks to a global effort the coronavirus pandemic has entered a slow downward curve, but living with the virus for over a year has changed our lives in countless ways. One small positive effect was that continued exposure has honed users’ senses in spotting COVID-related email scams. Unfortunately, as users are catching on to these tactics, cybercriminals are turning to social media phishing emails. According to the Q1 2021 top-clicked phishing report compiled by KnowBe4, LinkedIn and Facebook are emerging as favourites for social-media themed phishing attempts. Watch out for emails with subjects like You appeared in new searches this week!, Please add me to your LinkedIn network, or Your friend tagged you in a photo on Facebook.
The report examined tens of thousands of real examples of phishing emails reported to IT departments as suspicious, looking for recurring, general subject lines. The leader, with 31% was some version of Password Check Required Immediately, and the list continued with fake updates on sick-time policy (15%), remote work policy (13%), and vaccine interest (10%).
Advice from Stu Sjouwerman, CEO of KnowBe4
‘Always check with your IT department through a known good phone number, email address or internal system before clicking on an email related to checking or changing a password because it only takes one wrong click to cause monumental damage.’
Education, meet Entertainment
As anyone who has ever attended cybersecurity training knows, keeping trainees engaged with the material is perhaps the major challenge educators have to face. There are external incentives organisations can utilise when directing their employees to attend training, but the abstract nature of the threat against which the classes aim to arm users means that keeping up the interest is no mean feat.
Any training programme worth its salt has to address the issue of participant interest, since the effectiveness of the training is directly linked to engagement. Clearly, if users leave the classroom only to commit the blunders they were trained to avoid, their time would have been better spent watching Amazon Prime instead. Hang on... who says they can't do both?
The first season of the award-winning KnowBe4 original security thriller, The Inside Man has just been released on Amazon Prime video, making the popular educational series available to broader audiences.
<iframe width="560" height="315" src="https://www.youtube.com/embed/3BRlXGnnjmk" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
The show, now on its third series, deals with topics like social engineering, physical security, insider threats, and deepfakes through the all-too-human story of Mark Shepherd, a hacker-cum-hero embroiled in a sinister plot to penetrate Khromacom corporation. The show’s been praised for adding entertainment value to security training and shining a light on the human cost of cybercrime.
I gotta say – this series is a blast! Sure, it’s educational but, I confess, I watched each episode to see what happens next. There is no “dry” teaching in this series but learn you will!
Jay Stromberg,Savvy Training, 2019