Let’s set the scene for this blog with a hypothetical situation:
It’s a chilly day outside and you’re getting ready to rush to work for a morning meeting. As you put on your coat and check your phone for train timings, you receive a text message from your water company asking you to pay your overdue bill by clicking on a link. You click the link, but the login page doesn’t load so you save it for later since your train departs in 15 minutes. In the next few days or even hours, a cybercriminal has locked your critical files and information.
Now let’s look at a real-world example of the recent Australia Post scam:
In March 2022, customers received a legitimate-looking text and WhatsApp message with details of the shipment of their parcel with an equally legitimate-looking link and website that asked for credit/debit card information This made Australia Post alert their customers of the scam through their website.
Smishing, the SMS version of phishing, are becoming increasingly common – the scam package includes professional-looking texts, the creation of urgency to pay bills and tricking you into entering personal details. Australia Post is a large organization, but medium and small-scaled organizations aren’t exempt from cyberattacks such as smishing.
“Every day, cybercriminals send out millions of smishing texts and phishing emails and wait for the receivers to fall into the trap. These scams are not targeted – making organizations of all sizes and scales susceptible to cyberattacks”
A recent report by IBM found that human error was a contributing factor in more than 90% of cyberattacks across the globe. In Australia, there was a 57% increase in phishing attacks and a 30% increase in identity theft in 2021.
The conversation around cybersecurity practices has radically changed in the last 3 years, reflecting the ever-evolving crafty methods that cybercriminals are employing.
Rudimentary cybersecurity solutions such as anti-virus software no longer provide complete protection to an organization’s IT infrastructure because the attackers are relying on employees unknowingly giving them the keys to the main door.
Once they’re in, the possibilities are endless – taking over your account to send fake emails, redirecting payments to different accounts, stealing IP for new products and selling it to competitors, etc.
As human error steps to the forefront of cybercrime targeting, cybersecurity training and awareness as a defence response is imperative across multiple departments of organizations.
With cybercriminals targeting human errors to launch attacks, everyday employees are being referred to as the ‘weakest links’ in the current cybersecurity conversation. But first, let’s understand a bit more about human error and how it happens.
Human error in cybersecurity is the unintentional action or the lack of action by employees that enable a security breach or attack by hackers. It be initiated by the bad actors in many ways – an employee accidentally downloading a malware-infected email attachment or attacking through weak passwords or even through social engineering where hackers manipulate employees into handing over sensitive information. Based on the level of awareness and knowledge of cybersecurity practices that an employee has – human error can be classified into:
Watch: Advanced Training’s Certified Cybsecurity Expert and Trainer takes you through EC-Council’s ‘Certified Secure Computer User’ course and how it helps organizations turn their employees into human firewalls (click on thumbnail):