A lack of internal IT education is endangering businesses

null

Every IT department in the country knows the PICNIC acronym: Problem in Chair Not in Computer.

However, it’s not as simple as that. The people in the chair cannot be expected to know everything that they need to be aware of around operating the IT equipment they are provided with. Let’s look at what the current issues are and what the users need to be aware of so that they don’t endanger your business.

GDPR

Surely everyone knows that May 25th 2018 was the day when the new regulations around Personally Identifiable Information (PII) and its usage grew teeth. GDPR consultants across the country were scaring companies with talk of huge fines and the need to get everyone who they’ve ever added to a mailing list to give consent again. So what do users need to be aware of:

Be careful about CC’ing lots of people.  If they do have to send an email to lots of people, and they don’t want to use something like MailChimp, the right choice is to BCC them instead of CC’ing. Nobody can then see the email addresses of everyone else and nobody can complain that you’ve shared their data without their permission

Don’t automatically add someone to your company mailing list, just because they met them at an event. If they do ask {if they want to be added to a mailing list}, they should make a note on the records of when and where they were when verbal permission was given.

Phishing emails

One way to approach this is to run Simulated Phishing Assessments with work colleagues. This will enable you to identify the weakest link in the business and then give those team members more training. Employees are the human firewall; 91 per cent of breaches occur due to phishing attacks.

Phishing is another version of a large-scale attack involving the forgery of emails. Phishing scams trick the undeserved recipient to give up valuable data but also download dangerous malware. Phishing attacks can be sent to lots of email recipients, reaching more people in the hope that a small number of responses will lead to a successful attack.

Be vigilant for emails asking for information that isn’t normally asked for. For example: your bank will never email you asking for PIN numbers or other account details. Don’t open them.

The same for emails offering something that’s too good to be true. That US high net worth or that Nigerian prince isn’t giving you money – he wants yours. Opening these emails will let in ransomware or malware designed to collect information on your laptop/phone or to block you getting to it unless you pay them.

Impersonation emails

Supposedly sent from someone on your board of directors, or from a supplier, impersonation emails are looking to get you to send money to the wrong place. These emails are normally sent to the Accounts team within your business.

Emails from your directors usually ask you to quickly transfer some money into a specified account because of some tight deadline reason. Designed to worry you about the timescales, they want you to instantly react. Don’t.  Pick up the phone and call that person or someone in their team to confirm the situation.

Supposed supplier emails suggest that they have changed their account details, so can you please change your records and the destination you send payments to. Again, pick up the phone and check.  Don’t use the phone number or the email address in the email, as they will, almost certainly, go to the fraudsters.

These emails are very convincing, with the email addresses and URLs being used being ALMOST identical to what they would expect to see. Ask people to be increasingly vigilant and to be suspicious.  Better they take a few more minutes to confirm something than send a fraudster multiple thousands of pounds.

According to the City of London Police’s National Fraud Intelligence Bureau (NFIB), the highest reported loss from a single CEO fraud attack is £18 Million. Also, on average a single CEO fraud attack costs a business around £35,000 in losses. 

The threats to your business, particularly electronic threats such as these, get more and more complex everyday. Whilst your IT team may keep abreast of what is happening, you cannot expect the rest of your employees to be quite so up to date. They need to be made aware of issues that mean they could inadvertently damage the business.

If you have an internal newsletter, add a regular IT security piece to it. Use that to make them aware of the threats and what they need to keep an eye out for.

If you have an internal system such as SharePoint, develop an IT security and education section on there and ensure that everyone knows how to find it.

Better to be safe than sorry!

Mike Ianiri, Director, Equinox
Image Credit: Billetto Editorial / Unsplash