When it comes to data breaches and hacks, the extent to which human error plays a role remains a subject of debate. Reports suggest figures ranging from 23% to a staggering 95%, depending on the definition of human error. Whether it's an employee leaving a company laptop in a car that subsequently gets stolen or sending a document to a mistyped email address, human error is almost always intertwined with cybersecurity incidents.

In reality, those dramatic backdoor-code-hacking scenarios you see in movies are far less common in the modern hacking landscape. Why invest hours in breaching firewalls when a simple phishing email in an employee's inbox can provide a more straightforward path to compromising data?

Despite the exact statistical number and definition, one undeniable fact remains: the person sitting at the desk is often the most significant threat to your data. So, how can you minimize this human error threat?

1. Training Is Key

The most powerful weapon in preventing human error is education. Employees need to recognize threats to mitigate them effectively. Cybersecurity training should be as vital as the training employees receive for their job responsibilities.

A 2019 report highlighted that small and medium-sized businesses (SMBs) are most frequently affected by inappropriate IT resource use by employees. The second-highest cause was malware infection on company-owned devices.

Effective cybersecurity training should cover:

• Good password practices, including creating strong passwords, secure storage, and regular password updates.

• Identifying phishing threats in emails.

• Safe online practices, such as using websites with HTTPS, and recognizing the difference between secure and insecure sites.

• Appropriate use of company devices, including not lending them to family members or using them for personal tasks, and ensuring secure storage when not in use.

Businesses can also provide refresher courses with updated threat education once or twice a year. While training requires time and investment, the cost of neglecting it can be significantly higher.

2. Regular Updates Are Crucial

SMBs with outdated technology can suffer up to 54% more financial damage in a data breach compared to companies that keep their IT systems updated. Yet, 44% of North American organizations continue to use old, unpatched software in their operations.

The human element plays a substantial role in this issue as well. Users often ignore or delay software updates because they're either too busy when the update notification arrives or are reluctant to interrupt their work.

One of the most prominent data breaches, the Equifax hack, could have been prevented. Employees were informed about a potential vulnerability and given 48 hours to apply a patch. Unfortunately, they failed to do so, and two months later, hackers exploited the vulnerability.

Automated updates are a solid approach, but designating a reliable individual to ensure regular updates on all company devices, in addition to emphasizing the importance of updates in training, is even more effective.

3. Limit Access to Sensitive Data

A Varonis report indicates that almost two-thirds of companies grant employees access to over 1,000 sensitive files, with some financial services employees having access to a staggering 11 million files. This access often extends to complete control, allowing individuals to open, copy, modify, and delete valuable data.

However, it's relatively easy to restrict access to sensitive files for those who don't genuinely require it. Initiating measures like limiting drive access to necessary personnel and protecting sensitive documents with passwords provides a straightforward starting point.

Need Expert Help?

Concerned about your business's cybersecurity vulnerabilities? WildFrog Systems in Abbotsford, BC, specializes in IT services and tech support. We can provide advice, implementation, or a cybersecurity audit tailored to your specific needs. Contact us at 604-210-9811 for assistance in bolstering your cybersecurity defenses.

Your email is the gateway to the soul of your company. And hackers know it! In fact, according to a 2018 survey, 90% of cyber attacks and breaches started with a rogue email.

So, why do the bad guys specifically target email? They do it because IT companies have become so awesome! No… really! Technology protection has really improved over the years. Gateway protection has increased. Antivirus effectiveness has increased. So, now, the potential exploitable chink in a company’s armour is that 1 well-used route in… the route where a non-IT-trained human may be manning the door. All it takes is 1 click on 1 link.

Well, how do you spot a phishing email? To help you spot a potential attack, let’s look at a few examples.

The CRA are a popular agency that scammers love pretending to be, in an attempt to intimidate you into responding. They are relying on an emotional response. There are 3 red flags in this email.

1. The email address is definitely not from the CRA. Whilst they do sometimes email people, they will only ever send you a link to a page, form or publication that you ask for during a phone call or meeting with an agent. In fact, they have a great page on their website on how to avoid CRA fraud scams.

2. This email is not identifying who it was sent to specifically. (ie your name is not mentioned anywhere)

3. If you hover your cursor ( just hover… don’t click!) over the link, you will get a box pop-up showing you the actual web address if will take you to. Changes are it is NOT a legitimate site! (A quick google search from the real CRA website will verify that)

Not all scam emails are this simple, though. Some hackers are now getting better at making their email look legit. They will use logos to look more authentic or email addresses that are closer to the real thing.

It looks way slicker, but it contains the same red flags as the simpler CRA version:

1. The email address is not an Amazon one… although, it does look VERY close. A quick glance may miss the fact that there is a letter missing from the word Amazon.

2. Again, a name is missing.

3. Hovering over the link reveals a non-Amazon website.

Here is another:

Once again, the email is using logos, the content looks genuine, correct spelling and grammar is used, and they have even made the link look like a genuine one. However, hovering over that link will reveal its true destination!

The Champion-Level Phishing Emails

More recently, we have seen a new level in phishing emails that look scarily genuine.

Here is an example, that appears to come from Microsoft themselves:

Scary, right? They have even spoofed an IBM email address. (Although, keen observers will spot that an Office 365 email will come from Microsoft rather than IBM!) Once again, your greatest defence is to hover over the links to see where they go. In this case, though, you would be much better off to just go to your Outlook account itself to see if there are any stuck emails in there.

Protect Yourself

Prevention (& protection) is definitely better than cure! This can be done with having the right configuration or your email, the best security tools (anti-virus, mailbox back-up etc) and educating all staff in the dangers.

So… to recap, here are the things to look out for to spot those dodgy emails:

• Check the Sender Return Address – Does It Match the Company’s actual email? (e.g. something like Microsoft Security Team <MailTo: MichaelScott@OutlookMailMan.Com> looks close… but definitely not from Microsoft, whose email addresses end in Microsoft.com!)

• Check the message content – How is the spelling & grammar? Does it create a sense of urgency? Wanting you to take action? Asking you click links?

• Hover over URLS – Suspicious looking? (e.g. http://kjerjvitb.adomain.com/loadvirus/clickmypage.html )

• Are you expecting it?

• Don’t open attachments unless you absolutely know what it is. (Especially zip files! They are only needed for very large files like designs or presentations. A resume or similar word doc should not need to be zipped!)

• Non-executable attachments (PDF etc) can redirect to a website

• Have Backups! Backup your backups!

• Don’t Login from any link! If you do want to check your account somewhere, open a separate browser and go to the official company's website login direct.

We hope that this helps your business avoid any future disasters. Ransomware from phishing links is an increasingly common and very expensive problem..

If you are still worried about being at risk, our team will be more than happy to help. We help many Fraser Valley businesses make sure they have rights safeguards in place. We are also experienced in coming to the rescue of businesses who have fallen victim.

You have probably already heard of phishing – after all, it is everywhere, these days. That’s why we want Fraser Valley Businesses to be aware of a specific kind - Spear Phishing.

From the good old-fashioned Nigerian prince email all the way through to the CRA phone scam (also known as voice-phishing or vishing). The scammers cast a huge, wide, net as far as they can, and wait to see if anyone bites.

Spear phishing, though, is different in that they target a specific person – usually someone in a large company with access to valuable data or finances. Before they are contacted, the scammer will take the time to do some research on their intended victim, mostly online through social media accounts etc.

Using the personal information that they have gathered, they will then contact this intended victim, making their email as personal and legit looking as they can. It may be as an application to a job that they know they are recruiting for, or a faked email from a friend claiming to have a link to a new menu from a favourite restaurant. Of course, this link or document will contain a malware-infected link or document.  Once clicked, the hacker either gains access to company data, or can plant a crypto-locker virus for ransoming.

Most spear phishing is aimed at mid-tier employees. However, there are a few brave spear-phishers who will sometimes target someone at the top of the company tree, like a CEO, CFO or senior manager. When this happens, it is called whaling.

How can your business prevent this kind of phishing?

• Education is a key one here. Making employees aware that this can happen will go a long way! Advise them to keep their social media content as private as possible (after all, that is as much for their own personal benefit as yours!).

• Make sure all employees know what to look for in fake emails (such as poor spelling and grammar, or checking link addresses before clicking them by hovering the mouse pointer to see a pop-up box of the address. If you get a link claiming to be from a certain bank or company, open a browser window and go to the bank/company website directly and compare their actual address to the one you see on the email.

• Limit data to the people who need it. If you keep data on shared drives, make sure sensitive data is housed on separate drives (eg a drive for Accounting only, a drive for customer lists only etc) and only give people access to the areas/drives they need to work.

• Keep all software, anti-virus programs and firewalls up-to-date.

• Back-up, back-up, back-up!! Back-up your data well and back-up often!!

If you are worried about your company’s potential vulnerabilities, give our team in Abbotsford a call at 604-210-9811 or email support@wildfrogsystems.com.