The first fully accessible workplace eLearning
top of page
Search

Cyber Security Phishing Risks - A Simple Guide To Best Practice

  • Sophie Bickle
  • Oct 3, 2023
  • 4 min read

By Mike Cooke for Culture Gem - October 2023



It’s Cyber Awareness Month! You might know what that means, but does the rest of your team? Are you confident you could withstand a breach or bounce back if the unthinkable happens? Education is the best form of prevention and preparation - how much do you have covered and where can you improve?


By now, when you hear someone mention cyber security you probably glaze over and let your mind wander to more pressing topics, while powering up the “I’m interested” static front-end onto your face. We all know what we should be doing but do we actually have the time to do it? Maybe Cyber Awareness Month is the F5 key you need to re-enforce industry best practices.


With 83% of cyber threats coming from phishing attacks (according to the UK Government’s Cyber Security Breaches Survey 2022) when was the last time your team ran a simulated phishing attack on all your staff?


21% of identified threats came from more sophisticated denial of service (DDoS), malware, or ransomware attacks. What preventative or combative measures do you have in place to overcome these attacks? Are you sure they’re up to date and fully functioning? Despite its low prevalence, 56% of businesses surveyed said they have a policy of not paying ransoms. If an attack has reached that stage, is this still the best policy?


These figures represent the 39% of UK businesses that had experienced some form of cyber attack in the 2021/2022 cyber security breaches survey. Now, maybe you’re thinking “39% is pretty low, we’ll be fine, we’ve never had anything serious happen before”, but put another way, 39% is almost 2 in 5 businesses. If you have worked with 4 other businesses, whether they’re your accountant, your bank, a client, or your window cleaners, 2 of you could need to respond to a threat.


Educating your team reduces your liability and gives you the best chance of combating cyber security threats. Remember, cyber security is not just a CyberSec team problem, it’s the shared responsibility of your entire company. So where should you start?


A black and white drawing of a padlock, with a stylised password entry box underneath.

1. Perform a spring (or maybe autumn) clean of access credentials

When was the last time you deleted old credentials from your network? You don’t need a disgruntled ex-employee to decide to attack you, you just need them to lose their laptop, not keep their OS up to date, or click on a phishing email, and those old credentials provide a route into your systems.

If a person or piece of software no longer needs access, remove it!


2. Limit access to the minimum required permissions


Does your company limit access credentials to the minimum required to perform each role or function on your network? Admin staff do not need access to your dev/prod/test servers and your marketing team do not need access to payroll systems. This is not only best practice from a security perspective but it also ensures compliance with UK GDPR (2018).

A black and white image of a cartoon character wearing a hat and tie. The character has a finger to their lips, a briefcase in there left hand. A giant padlock is depicted next to the image of the person.

Consider implementing access control groups to help manage the access requirements of each department. If you have a security breach from a phishing email on your marketing server, they should not be able to access your private or protected subnets.



Limit access to the minimum as standard.


3. Enforce a company wide password change

Simple, but effective! How often does your team change their passwords? The benefit of a new password is the same as having a brand new email address; they have never been used, so there is zero risk of them having appeared in a leak. The more often you update access credentials, the less chance they have of being leaked.

Change all passwords regularly to reset the risk and security exposure. #ResetYourRisk


4. Password best practice including multi-factor authentication

A line drawing showing a smart phone superimposed over a laptop, both with stylised password entry displayed, with a tick on the laptop to represent 2FA

Gone are the days of random letters, numbers and characters, these can be cracked in seconds, minutes or maybe even hours. Current best practice is to use a combination of 3 unrelated words, separated by a space. Including numbers and special characters also increases the strength of the password. Does your network allow spaces to be used in a password? If not, can they be added to your passwords? Adding spaces substantially increases the amount of compute needed to crack your password. Now, even if you implement all of the above, the time it takes to crack a password is limited only by the amount of compute that is dedicated to the task. If someone wants to access your account, it is merely a matter of time until a computer will gain access. Do not rely on your attacker having limited resources.

Enforce multi-factor authentication across all of your accounts as standard.

Take advantage of online password strength tools to demonstrate this to your team.


5. Re-educate on how to spot a phishing email

A black and white image of a cartoon figure with a fishing rod, made to look as though it is catching folder of documents.

If you have followed all of the above, your network access credentials have been tidied up and your risk has been reset - but don’t stop there! We said earlier that education is the most important line of defence against phishing attacks and you can do a lot of it with no dent to your oppex budget. Send your whole team a reminder of how to determine whether an email is legitimate or not using a 10 step approach:

  1. Were you expecting the email?

  2. Is it from a known sender? E.g. Lloyds Bank

  3. Is it misspelt? E.g. Loyds Banc

  4. Is it from a public email domain, eg. loydsbanc@gmail.com

  5. Are you the only recipient in the “Send to” field or is it a mass email?

  6. Is it asking for personal information?

  7. Is a response time sensitive?

  8. Does the target match the text if you hover over web links?

  9. Don’t click any links, search with a browser instead

  10. Does it have an unexpected attachment?

6. Phishing is a dull topic so make it fun!

A week after you have sent your phishing reminder in step 5, schedule a game day. See if any of your colleagues fall for a spoof phishing email and simulate what you would do in the event of a phishing email breaching your systems. #ThinkB4UClick

Staying on top of your solutions minimises the risk.


Don’t let the European Cyber Security Awareness month pass you by without taking some form of action to improve your cyber security.


Culture Gem will be sharing infographics and other resources throughout #CyberSecMonth, keep an eye on our social media accounts by following the hashtags #CultureGem and #ResetYourRisk



 
 
 

コメント

bottom of page