When it comes to protecting an organization’s assets, the best solution is taking a layered security or defense approach. Using a layered approach, when planning any organizations cyber security strategy ensures that even if an attacker successfully penetrates one layer of defense, they may be stopped by a successive layer. Rather than waiting for a cyberattack to hit endpoints, layered security takes a holistic view of cyber security accounting for a multitude of attack vectors in which cyber attackers may recognize in their pursuit of sensitive data.
A survey conducted by GetApp reports that 43% of employees do not receive regular cybersecurity training and another 8% report never receiving any training at all. The statistics do well to highlight the sheer level of exposure businesses across industries have towards cyber-attacks including ransomware and phishing attacks.
For small business owners, cybersecurity remains of the most difficult challenges to approach. As mentioned in previous Packetlabs blog posts, small businesses account for 43% of cyber-attacks, leaving them wide open to massive liabilities, including complete business closure. In fact, according to the U.S’ National Cyber Security Alliance, 60% of those small businesses are unable to sustain business operations within 6 months of a cyber-attack.
Among small business cyber-attacks, web-based attacks, social engineering and malware, including ransomware, are among the top three culprits. Understandably, as cyber attackers develop new techniques to exploit cybersecurity vulnerabilities, businesses must bolster their own security efforts in parallel, in order to maintain their security posture
One of the key attack vectors where employees are consistently targeted is social engineering which can summed up as ‘the act of manipulating an individual into divulging confidential information.’ Through the use of carefully campaigned phishing attacks, hacks utilize social media and research to establish a relationship with an organization’s employees. Once established, a cyber attacker will then exploit the relationship to gain the victims trust with the end goal of eventually stealing the information required, often in the form of credentials. For example, obtaining a password might allow an attacker to infiltrate an organizations infrastructure.
Frequently, unsuspecting employees are tricked into providing an attacker access to sensitive company data. An attacker will typically investigate an individual or it’s organization before carrying out planned attacks such as business email compromise and spear phishing. Phishing is the practise of sending emails appearing to come from a well-known, trusted organization asking recipients sensitive information including passwords, account numbers, ID credentials or otherwise.
Business Email Compromise (BEC): Business email compromise is a form of cyber attack which uses email fraud to attack organizations to achieve a specific outcome that negatively affects the target organization.
Spear Phishing: The fraudulent practice of sending emails purportedly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
In spite of these daunting threats, only 27% of companies deliver social engineering awareness training of any kind for their staff according to the survey. As well, nearly 75% of businesses are vulnerable, threatening customer, employee and company data. With these two statistics alone, it goes without saying that the need for more substantial cybersecurity practises and systems is critical.
Layered Cyber Security
As discussed in previous blog posts, small businesses are just as much of a target for cybercrime as large organizations. For small businesses, as well as large enterprise organizations, investing in cybersecurity needs to take a layered approach. It is not enough to invest in cybersecurity infrastructure, technology and staffing alone; businesses must invest in on-going training for all level of staffing in order to completely address the threat. This methodology adds an additional layer of protection to sensitive company data.
It is imperative to assess the knowledge breadth of your employees when it comes to cybersecurity threats. Reason being is employees are often the “low-hanging fruit” that attackers will utilize to access your organization. Many employees leave their workstations online overnight, or may even have mobile devices they use to work from home; this translates to round the clock internet connectivity leaving businesses wide open to attack.
Routine, up-to-date cyber security training will help to arm your employees with the required tools to prevent or reduce the threat of an attack. This translates to a heightened security posture for the overall environment of the business. When employees are aware of the characteristics of cyberattacks, they are far less likely to fall for an attack scheme. One way for organizations to assess their overall security posture and awareness of their organization is carrying out objective-based penetration testing.
Objective-based Penetration Testing
An objective-based penetration test (OBPT) goes a long way in assessing the true vulnerability of your business to cyber-attack. In addition to standard web application and infrastructure penetration testing, an OBPT can assess staff knowledge of phishing techniques, basic physical security measures, password policy, adherence to security policy and overall employee awareness and compliance. A well-executed OBPT will highlight the gaps allowing a business to prioritize and strengthen their security.
For more information on objective-based penetration testing, or anything you read here, please do not hesitate to contact us!