Story image

Employees get sucked in by smarter cybercriminals

01 Feb 2012

A staggering 70 per cent of organisations have been the target of an advanced attack and frighteningly it has been found that about half of all employees will fall for a well-crafted spear phishing ruse which could open the door to malware and other threats to the corporate network.
While most New Zealanders are aware of the more common tactics of cybercriminals and seldom fall for scams involving emails from Nigerian royalty or phishing scams seeking banking details, few are as vigilant when it comes to protecting valuable company information at work. Hackers and cybercriminals are stepping up their efforts to target businesses to access everything from Intellectual Property for commercial gain, to customer records for competitive advantage or even resorting to using stolen information for extortion attempts. One careless employee could become the weakest link in your business and expose your business to a long list of threats.
While mobile devices are now enabling the convenience and flexibility of accessing emails and company desktops in order to effectively work anywhere, the growth of employee owned devices and the increasing use of social-media applications in the workplace are creating new potential attack access ways, and posing a big risk to company IP. The potential consequences of losing company information in this way are frightening, and organisations need to make sure they have control and insight into the users and devices accessing their network.
It’s a good idea to configure your employee’s devices to get connected to corporate Wi-Fi hotspots, rather than public Wi-Fi hotspots, to minimise the risk of any data vulnerabilities and malware infestations. Ensure employees are aware of simply things such as knowing to turn off Bluetooth or Wi-Fi when not in use, applying a screen lock when the phone is powered on and setting up an inactivity time-out limit or auto-lock; these can also be useful should an employee lose the device.
Risky practices – lack of password protection, giving out passwords – along with ineffective approaches to information security are making organisations susceptible to these new employee-targeted attacks. The current level of complexity in our IT environments is also making it easier for skilled adversaries to hide and find unknown or unpatched IT vulnerabilities.
To add to the problem, many companies are unable to detect sophisticated attack patterns. Conventional antivirus, firewall and IDS tools do not form a complete picture of an attack, instead identifying unauthorised access, viruses, or phishing email, but not actually associating these events.
So how do we better stay safe in a world where cyber-attackers are smarter and passwords are harder to remember?
Traditionally, firewalls provide defence against attacks from viruses or external attackers, and to this end, review all firewall deployments to ensure current rules and processes to implement and maintain them are still valid. Also ensure adequate measures have been taken to help protect devices like laptops with technologies such as host-based firewalls.
Do not, however, solely rely on firewalls as a single means of defence. There are additional factors to consider for protecting a network. Do you provide secure remote access with strong authentication techniques? Have you made sure you have secured your wireless network to help prevent unauthorised users from gaining access to your network resources?
Fresh approaches and new ways of thinking about information security will be needed to combat this new class of threat that seeks to exploit the "weakest link" in a company, some of which may be uncomfortable for IT managers and decision makers. For example, giving up the idea that it is possible to protect everything in order to focus on the most critical information – the company "crown jewels" if you will – is something that organisations need to consider. Additionally, the definition of successful defence should change from "keeping attackers out” to "detecting intruders as early as possible and minimising the damage.”
In other words, assume an organisation is already compromised – and work from there.

Universal Robots aims for A/NZ growth with new hire
Peter Hern takes on the role of leading customer support, sales and partner development for Universal Robots in Australia and New Zealand.
Microsoft urges organisations to tackle data blindspots
Despite significant focus placed on CX transformation, over a third of Australian organisations claimed that more than one in five of their projects failed.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
How big data can revolutionise NZ’s hospitals
Miya Precision is being used across 17 wards and the emergency department at Palmerston North Hospital.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.
Time's up, tax dodgers: Multinational tech firms may soon pay their dues
Multinational tech and digital services firms may no longer have a free tax pass to operate in New Zealand. 
Gartner’s top 10 data and analytics trends for 2019
Data is the fuel for the modern world, and analytics the engine. Gartner has compiled the top 10 trends to watch this year.