Cybersecurity and the (good) habit of learning to close doors:

Would you ever leave your car parked with the door open and the keys in?

The real world has accustomed us to prevent possible attacks by using small precautions such as closing the front door, removing the keys from the dashboard and avoiding dark alleys. Each of our daily actions, whether voluntary or involuntary, is made to protect us and the same should happen in the virtual world, which is not so virtual. With the increase of remote work, accomplice also to the pandemic and the various restrictions, the number of openings made available to anyone in our vicinity has increased, both in technological and environmental terms. Gestures that we consider to be harmless, such as leaving the PC unattended even for a few minutes, involves the same risks as leaving the front door open.

For many years we have been talking about computer security, but only recently have companies become aware of the issue, also due to the exponential growth of attacks. On the market there are several solutions developed with the aim of protecting us, but often we are only concerned about the technological aspects, without giving weight to the real weak link: the user.

Data show that most of the violations suffered by companies are caused by the staff because they are not sufficiently prepared to identify an attack. This lack of sensitivity to risk means that the user unwittingly becomes an accomplice of cybercriminals, often performing trivial actions such as opening a malicious file or a link received via email. And it is precisely this naivety and lack of knowledge that drastically lowers company defense levels. Studies have shown that almost half of all attacks against companies are carried out through phishing or social engineering, practices aimed at manipulating the user to steal confidential information.

In the case of phishing attacks, cyber criminals send emails to millions of different recipients containing Trojans or links to a compromised site. Once the victim falls into the network, an attack mechanism is triggered whereby company data is encrypted and ransom demands are made to decrypt it.

A social engineering attack, on the other hand, is much more sophisticated and usually targets a specific company. For this type of crime it is essential to collect information, which can be provided directly and unknowingly by the company staff, who react to simple techniques and apparently harmless questions. One technique that is widely used is “baiting”. Very often it’s a USB key left in company’s common rooms that, once collected and inserted in the PC, allows the criminal not only to take control of it, but also to have access to the whole network, without the employee noticing anything. The use of pretexts to receive information is also widespread: the attacker starts by establishing trust with his victim by impersonating colleagues, police, bank and tax officials or other people who have the authority and right to know, and asks legitimate questions through which he collects personal and business data. This information then allows them to directly access company data or to package perfectly targeted phishing emails that are not easily identifiable as such, requiring users to change their passwords and providing them with a link that redirects them to a web page made to look legitimate where the attacker acquires their credentials.

It is now clear why this kind of attacks disregard the defense tools that can be used from a technological point of view such as firewalls and antivirus, as they mainly exploit human weaknesses and as such, they become more effective the lower their awareness is. Specific training and knowledge of the main techniques are fundamental elements to increase company defenses, because only by learning to manage these and other situations, risks can be reduced.

Awareness courses organized in partnership by DOS Group SA (www.dos-group.com) and OPENPOP SA (www.openpop.eu) are fundamental and integral part of the strategy of defense against cyber attacks and cannot be done online, as it is often proposed, because their effectiveness is linked to the “if I don’t see I don’t believe”. Practical demonstrations within the company are part of employee training and risk sensitivity. This training, together with periodic security audits, also includes a series of activities that go beyond the strictly technological sphere and that test employees’ ability to react to attack attempts.