Businesses need to educate staff to counter phishing hack attacks

As cyber hacking attempts are on a steep rise, businesses need to invest in continuous education of their staff to raise awareness of the threats a phishing attempt comes with, Sheila Pancholi, Partner at Technology Risk Assurance of RSM UK and Dr John Abela, Co-Founder, CTO and COO of Ascent Software, concluded in a public cybersecurity webinar held on 12 March.

The two most common hacking approaches a company or an individual can come across are phishing or whaling, according to the two experts.

Phishing most regularly targets individuals. Although it appears to be an email sent by a well-known service they use and asks for log-in credentials on a replica screen, in reality, the inputted data is transferred to hackers. Sometimes, these emails also include familiar attachments, that can penetrate a computer’s system upon opening.

On the other hand, whaling usually targets a small group of individuals – e.g. employees of a specific company – disguising to have been sent by either the CEO or a colleague, asking staff to transfer money or provide bank credentials. These eventually end up with hackers, who can get into the system of companies storing confidential data or compromise funds.

Human error

Citing IBM’s 2018 Cyber Threat Intelligence Index report, the experts say that 95% of the security incidents occur due to human error. Phishing emails that use social engineering – psychological manipulation of people – for deceiving the addressee can have a success rate as high as 70% for acquiring sensitive data, Mr Abela says.

Mentioning Kevin Mitnick’s experience – a reformed ethical hacker who decided to use his skills for moral actions after his prison sentence due to being caught for hacking –, the two experts say that phishing emails work because people can be easily be tricked due to their helpful nature and high levels of trust to avoid conflict.

Education and raising awareness

For keeping a firm stance in the storm of hacker attempts, a company should actively discuss the threats with its employees, the two experts agree. They also emphasise the importance of progressive education of the staff, as hacking attempts are getting more sophisticated by the day, and can hit a company or individual at any time.

As such, a company should develop a coherent cyber resilience strategy, be aware of the critical information assets that exist in the organisation, educate the workforce and partner network, embed good practices in the organisation, understand the staff’s knowledge and communicate more effectively, as well as understand how to respond to and recover from an attack.

Steps to be made include installing and maintaining secure firewalls and deploying up-to-date virus engines, password protecting internal Wi-Fi networks, having an incident management plan for a worst-case scenario, considering cyber insurance, checking physical site controls and paying ethical hackers to try and penetrate corporate systems, to see if any loopholes show up.

RSM conducted phishing tests to see how vulnerable employees are. They sent out more than 230 spoof emails in the health sector, asking employees to validate staff login. Some 37 employees clicked the link within minutes, and altogether 81 clicked by the end of the day, according to data published during the webinar.

Conducting a similar test with a financial services client, out of 142 emails, 44 users clicked the phishing link. Some 30% were successfully phished, 5% opened the email and ignored the link, while 65% did not respond to the email, the two experts say.

Webinar by RSM

During the public webinar hosted by RSM on March 12, Dr John Abela, Co-Founder, CTO and COO of Ascent Software joined RSM’s Sheila Pancholi, Partner and UK lead for the Technology Risk Assurance practice to discuss the various phishing tactics hackers use and ways for businesses to fortify security measures, implement processes and take practical steps to mitigate risk and minimise the impact of these kinds of cyber attacks.

“Phishing has been in existence almost as long as the email function itself. An unskilled hacker can easily trick you into submitting your credentials to a malicious site through an email that appears to be from a reputable source,” the description of the webinar says.

“But as technology advances, so do the skills of hackers. No longer satisfied with preying on small fish, hackers are now engaging in sophisticated tactics targeting businesses and discovering vulnerabilities. This is becoming especially common amongst the C-suite in attacks known as ‘spear-phishing’ and ‘whaling’. The reason is simple; CEOs and CFOs who may fall foul of these attacks offer top-down access to all business operations,” RSM adds in the webinar description.

Independent accounting and advisory firm RSM Malta is a member of the RSM network. The RSM network is administered by RSM International Limited, a company registered in England and Wales.