As the saying goes “you’re not hurt and care less about what you don’t know”. Over time you may wonder how secrets between two people are known to other people even when no one deliberately discloses them. The same relates to when networks are hijacked, breached, and penetrated. Cybercriminals need not be told how to get to the valuable information on private networks but instead to dive in with the help of activities and network behavior of employees within firms.

The usually known epidemic of Lack of cybersecurity awareness has greatly contributed to significant compromises of networks, applications, systems, devices, and data. The surprise here is that even in the instance of losses from cyber events, many enterprises have remained uninformed about implementing resilient norms and security cultures in place to effectively protect their systems and network resources.

Even when technology is evolving and times have changed, the goals and motivations of cyber crooks (hackers) have not. In the digitally connected world, hackers have continued to victimize assets that can be easily monetized. The annual Uganda Crimes report states that the greatest number of cybercrimes reported cases (about 80%) are financially motivated.

What enterprises have put into consideration

Often organizations look at their internal infrastructure and put priority on securing assets that may be easily targeted and compromised for financial gain, the primary focus of cyber crooks is always put on applications and or systems that store financial data or very valuable information that can be sold on black markets (darknets) for profit. Such information can be personally Identifiable Information (PII), Social security numbers, credit card details, user logins, and more sensitive information stored on such systems/applications.

The most concealing thing which is often overlooked is the users of these systems. The people who have access to sensitive data, those that share valuable information across media platforms, and the users that have the authority to make financial decisions.

Qtn. Who would have authorization and more access rights to systems and data than an executive in a firm?

Scope;

About a week ago, it was reported on the news (The Guardian) that a Train Firm company sent out a cybersecurity test email which was regarded a “cynical and shocking stunt” to staff promising a bonus to its workers who had run trains during the pandemic. Little did the staff expect that they would be tested and only to reveal later that it was a test of their cybersecurity awareness.

West Midlands Trains emailed about 2,500 employees with a message saying its managing director, Julian Edwards, wanted to thank them for their hard work over the past year under Covid-19. The email stunt had it that they would get a one-off payment as a thank you after “huge strain was placed upon a large number of our workforce”.

To the surprise, most of the employees that received the mail had to click the attachments in the email for details since little did they know that it was a test. However, those who clicked through on the link to read Edwards’ (managing director at West Midlands Trains) thank you were instead emailed back with a message telling them it was a company-designed “phishing simulation test” and there was to be no bonus. It warned: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”

NOTE: In the instance when internal staff lack awareness of common cybercrime attempts, the network, and the valuable resources therein remain at risk of being stolen and exploited by data hunters (cybercriminals). It’s the role of the IT security teams to identify security gaps in the firm’s network security chain and find ways to bridge those gaps to secure the valuable resources and Enterprise’ sensitive information on the network.

This is best done by taking repetitive awareness sessions to educate and train staff on how attacks take place and to respond to attack attempts in case they take place. This would help in implementing a cybersecurity culture at the firm.

What is there to take home?

As cyber-attacks continue to take shape, Cybersecurity awareness, penetration tests have become increasingly important. These valuable assessments, performed using either in-house personnel or third-party service vendors, exploit vulnerabilities or security gaps to determine the security stance of an IT environment.

In fact, according to the 2020 Summit project frontline report, most data breaches are initiated through email compromise and this so happens when users receive emails with attachments, but since they lack some level of awareness, they end up clicking and, in the end, download malware onto the networks and or devices. Human beings remain the weakest link in the cybersecurity chain-often due to lack of awareness.

The other fact is most firms have laxed when it comes to conducting Penetration Tests on their network infrastructure.  According to our 2020 security Survey, 90% of respondents said they run pen tests at least once or even none a year.

NB: Most institutions use technology and have critical cyber assets but fall short on cybersecurity education. All employees require education on cybersecurity risks to avoid innocent mistakes that could negate the confidentiality, integrity, and availability of information and services. A discussion with cybersecurity consultants would effectively enable an organization to craft and implement a seamless and customized cybersecurity policy, train teams on the latest sophistication of attacks, and how to steer clear of them