Company warns training is key to preventing data breaches

Thursday 22 December 2016

CI IT firm Logicalis is warning islanders to be more vigilant about opening emails after revelations that over one billion accounts were breached at Yahoo.

The security breach – thought to be the biggest hack in history, could have been caused by corporate phishing – when hackers create a fake email address that looks like it has come from a trusted source.

When someone opens an attachment from the hacker, it will insert malicious code into a computer to steal data and potentially infect a whole network.

James Gilles, Technical Consultant, Logicalis, said: “People are usually the weakest link in a company’s security. Phishing is on the rise and the easiest way to help prevent your company becoming a victim is to train staff to be aware of the risks and how to avoid them.

“It’s so easy for hackers to create spoof email addresses, to make an email look like it’s from a company’s CEO or some other trusted source. This may have been what happened at Yahoo.”

Yahoo’s security breach, in which over one billion email accounts could have been compromised, took place in 2013, however, details were only revealed during an investigation into a 2014 security breach.

Mr Gilles added: “When a company is attacked like this, people may not know for years. When staff do accidentally click on something, and then have concerns, it’s best they feel they can come forward straight away so that the company any can check it out. Companies need to have an internal policy in place otherwise they can end up thinking their system is secure, when it’s not.”

“Phishing is on the rise and the stats are scary. About 30% of people open phishing emails, and then another 12% go on to click the attachment. According to KnowBe4, in tests they have run on companies over the past two years, 82% of servers have failed to respond correctly to spoof emails.

“At its heart, phishing is a human problem exacerbated by and potentially solved by humans.  Humans presented with phishing attacks often are easily deceived. The problem is that most have not been trained on how to process emails and not fall into the phish-traps.  By giving users Anti-phishing awareness training they learn to recognise the traps and how to avoid them.

“Anti-phishing awareness training is best when coupled with a bit of ‘light touch’ testing; those who get caught by the phish-bait can be redirected back to the training program as a refresher. Most importantly this training must not be a one-off but ongoing - if it is not reinforced, it won’t be remembered; and it has to be reinforced and updated as the phish-traps are ever present and ever evolving."