Cybersecurity Training: Secure the Human

Posted on in Cybersecurity

Employees are the first and last line of defense when it comes to cybersecurity. Meaning your employees are your greatest risk for a security breach. However, with proper knowledge and training, you can change that. Most importantly, you must stay informed. As technology evolves, attackers evolve with it. Below we have listed the top five latest trends in social engineering attacks, and simple ways to address them.

  1. Phishing – a fraudulent attempt to obtain sensitive information, typically via email. These attacks pose as emails from trustworthy sources, and contain believably urgent subject lines. For example, in 2016 a phishing email was sent to Clinton campaign chairman, John Podesta’s, Gmail account. The email states that someone had his email password and he needed to change it immediately by clicking the link provided. Consequently his email was hacked. It can happen to anyone. When you’re checking your email, be on the lookout for suspicious addresses, and never click on a link from a source you do not know. Podesta could have spotted this phishing attack based on the suspicious extension “” It never hurts to be overly cautious, so make it easy on yourself and check twice.

  2. Baiting – the use of physical media to install malware on a computer. Attackers label a piece of media, such as a CD or flash drive, and leave it in locations that people will easily find them. Typically, the media is labeled to peak a victim’s curiosity, like “Vice President Q3 Salary Summary,” and thereby giving them ample reason to load it into their computer. The easiest way to avoid damage from baiting is not to take the bait. If you do not know where a piece of media came from, don’t plug it into your computer. Many companies have even established a policy that prohibits the use of flash drives entirely.

  3. Water Holing – takes advantage of sites that a person regularly visits to target their computer for malware. Even those that are naturally suspicious of cyber-attacks may lower their guard if they receive an email from an organization that is familiar. To combat these attacks, companies should continuously update their systems with the latest software offered by vendors. If you aren’t sure how secure your system is, consider a vulnerability assessment to see your organization’s areas of vulnerability.

  4. Spear Phishing – a fraudulent attempt to obtain private information from highly customized emails to a small number of users. While phishing is very similar to spear phishing, the open rate for spear phishing emails increases by 67%, with an increase in success rate of 45%. For example, an employee may get an email that is seemingly from their personal bank. Since banks are typically very secure, a person’s guard is let down and they are likely to click on any link in that email. An attacker can usually find information unique to an individual for this kind of attack on social media. The best way to protect your company and employees is again to train individuals to recognize, avoid and report suspicious emails. No one is immune to these kind of attacks, as different employees have different access to company data that may be valuable to an attacker.

  5. CEO Fraud – the impersonation of a CEO via email to obtain confidential information. When an attacker hacks into the CEO’s email account, it is easy to obtain the trust of employees. Hackers often target companies when the CEO is traveling and therefore it is difficult to verify the email’s authenticity. Organizations should be wary of frantic emails from CEOs while traveling. If an employee receives this kind of an email, no action should take place without directly talking to parties involved.

Michele Fincher, chief operating officer of Social Engineer, describes it well – “Social engineering in general isn’t about how smart technically you are. It’s about what connects you to others, what makes you curious and angry and what might make you act without thinking.” If you haven’t already, take the next step and train individuals in your organization to fight cybersecurity attacks.