Employees in customer service and security industries have the worst cybersecurity email performance, with hospitality sector workers scoring the lowest in multiple categories, a new data security report has found.
According to the report, released July 10 by California-based global online security firm Proofpoint, Inc. (NASDAQ:PFPT), end users in the education and transportation industries struggled most, incorrectly answering, on average, 24% of audit questions.
The report, Beyond the Phish, found in security audits across 16 industries that one in four questions regarding phishing – attempts to gain entry to data systems via email – was answered incorrectly.
But, as with most workplace privacy and security issues, the best prevention is in education.
The RCMP describes phishing as a general term for e-mails, text messages and websites fabricated and sent by criminals but designed to look like they come from well known and trusted businesses, financial institutions and government agencies. The aim of phishing, also known as brand spoofing, is to collect personal, financial and sensitive information.
The report found education, transportation, healthcare and manufacturing sectors industries to be most susceptible to cyberattacks, calling the situation a significant knowledge gap underscoring the importance of security training.
The report said 83% of organizations worldwide experienced phishing attacks in 2018.
“Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals,” said Proofpoint vice-president of security awareness training strategy Amy Baker. “Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect their and their employers’ data, making end users a strong last line of defence against cyber attackers.”
Proofpoint security awareness training strategist Gretel Egan said such education should be more than an hour once a year.
Egan said cyber attackers are targeting people year-round and that needs to be countered with ongoing awareness work. She explained that attackers use company organizational listings to find vulnerable people. Organizations are not responding with a similar people-centric defence process, she said.
What’s more, Egan explained, social media can let attackers know what’s going on in a company and provide clues for attack options. For example, an employee might post online that their boss is away and an easy week is ahead. That’s an entry point for an attacker, Egan said.
From least awareness to most awareness, the report analyzed millions of answers in the areas of:
• identifying phishing threats;
• protecting data throughout its lifecycle;
• compliance-related cybersecurity directives;
• protecting mobile devices and information;
• using the internet safely;
• cybersecurity concerns for working adults;
• physical security risks;
• using social media safely;
• working safely outside the office;
• cybersecurity concerns unique to executives;
• social engineering and related scams;
• unintentional and malicious insider threats;
• passwords and account authentication; and
• avoiding ransomware attacks.
And, the report found employees struggled most with issues around mobile device encryption, protections for personally identifiable information, the role of technical safeguards in preventing successful social engineering attacks, distinctions between private data and public data and actions to take following a suspected physical security breach
However, the report found, while issues may be spread across organizations, it’s often executives who need the most education.
“Executives are often excluded from security awareness training—despite needing it the most,” the report said. “They wield authority. They hold key relationships. And they have access to some of their organizations’ most sensitive data.
“For these reasons, including C-suite members and other top-level workers in every cybersecurity education plan is critical.”
Egan said a top-down approach to cybersecurity is a best practice. “It’s so important for a top-down perspective to impress upon the average employee that they are important enough to be a target.”
The RCMP suggests people be suspicious of any email or text message urgently requesting personal or financial information. The force suggests contacting an organization that appears to be trying to contact you by phone to verify the message.
And never email personal or financial information.
Police also recommend avoiding embedded links in an e-mail claiming to lead to a secure site. As well, they recommend examining a website's address line to verify if it displays something different from the address in an email.
The Canadian Anti-Fraud Centre’s phishing pages say two types of such fraud are targeting Canadian businesses: the business executive scam and the financial industry wire frauds.
In the first, also known as the business email compromise, the potential victim receives an email that looks like it came from an executive in their company who has the authority to request wire transfers. The receiver of the email instructs payment to be made and a bank account destination for funds, typically more than $100,000.
In the second type, Canadian financial institutions and investment brokers receive fraudulent email requests from someone they believe to be an existing client but are instead from a client’s compromised account.
The fraudster requests that the financial institution or investment broker transfer funds to a foreign bank account.