Blog by Calvin Platten, General Counsel, Ipro
It is important for a company to protect its cybersecurity to minimize opportunities for breaches and other situations where critical data may be leaked to unsavory characters. While the technical aspects of creating a secure network may be a job for IT, cybersecurity is the responsibility of all employees. The weakest link in a network is frequently a company’s own employees.
For example, phishing e-mails often proceed cyber-attacks. They are not just e-mail SPAM. They are e-mails targeting employees who have access to financial accounts, PII, and/or PHI. The following is information from the ISACA on the epidemic of phishing e-mails proceeding cyber-attacks throughout the U.S.
1. Intelligence Gathering
- It takes an average of 4 minutes from the time a phishing e-mail is sent until the victim opens it and clicks on the link or attachment.
2. Initial Exploitation
- Phase one Malware is installed when someone clicks on an e-mail link – Phase one Malware remains on the victim’s PC an average of 270 days without being detected.
3. Command and Control
- The Malware phones home to get instructions and goes silent – Antivirus Software can’t detect this activity.
4. Privilege Escalation
- ISACA found that 63% of data breaches were a result of stolen user credentials.
- By targeting an individual with just 10 phishing emails, 90% of the targeted users clicked the link and were compromised.
5. Data Exfiltration Occurs
- Cybercrime has evolved into a long game. When it comes to moving data off your network the hackers will end up using our own FTP servers, Webex, Skype, and other business applications that you need to run your business just because they can.
To prevent its employees from succumbing to phishing e-mails and other cyber scams a company needs to establish clear policies for cyber security, create a system where employees are encouraged to report breaches of the policies, continually review and update their policies, and discuss the up to date policies with all employees, not just management.