When the CEO of a large company received an email from his daughter’s school it seemed fairly innocuous.
However, it actually contained malware that rapidly infiltrated the organisation when he opened it. The message had been sent by hackers who spotted the ideal opportunity after the CEO’s wife posted a message about their daughter on Facebook. They were quickly able to compromise the school’s email account and send what looked like a perfectly legitimate email.
This highly sophisticated spear phishing campaign is a real-life example regularly used by IT professionals when providing security training. The unnamed victim of this attack was normally diligent when it came to IT security, but the hackers exploited a weakness – as they did with recent attacks on telecoms provider TalkTalk, dating website Ashley Madison, health insurer Anthem and US retailer Target.
As this diverse list of victims shows, no one is off limits when it comes to hacking. Any business that holds a large amount of data on individuals is a viable target. So what can HR teams do to ensure employees have the necessary tools to ward off these sorts of attacks?
The depressing reality is that despite the best efforts of companies to educate employees on the dangers of cyber attacks, if competent hackers are determined to infiltrate an organisation there is a strong chance that they will eventually find a way.
As Colin Tankard, managing director of data security company Digital Pathways, explains: “It’s less a case of if you are going to get hacked and more a case of when.”
This might sound overly dramatic, but when you examine the numbers it’s clear that there is significant cause for concern. PwC’s Information Security Breaches report published earlier this year revealed that nine in 10 large UK firms had been victims of cyber attacks. Furthermore, a number of hacking attacks had been successful as a result of basic employee mistakes.
According to security experts, on average 60% of phishing email recipients open them and 11% click on a link or attachment even if it comes from someone they don’t know or trust. More worrying still that many of these hacks often go undetected until it’s too late.
“Statistically it takes a minute to hack a system, but months to detect,” says Tankard. “The average time for detection is nine months so in that time the hacker has made themselves very comfortable, invited all their friends around and who knows where they have left a little message just in case they want to come back later.”
What drives hackers?
The challenge facing employers is made even harder because of the different motivations of hackers.
“This isn’t just about criminals and gangsters,” says Steve Hearsum, development consultant at Roffey Park. “People are doing it for fun and for the challenge. It’s a social activity for some and that’s why we need to understand this from a social point of view.”
This variety of motivation is particularly relevant when it comes to the internal threat. It’s difficult to gauge the full extent of the problem as many attacks undertaken by employees go unreported. However, according to IT security experts a significant number of data breaches are perpetrated by staff and this threat is usually heightened by a company’s culture.
“If you have a really poor culture you increase the risk of employees settling scores,” says Hearsum. His view is supported by Robert Willison, senior lecturer at Newcastle University Business School, who has undertaken research into what motivates workers to carry out this sort of abuse. He says that a number of factors can trigger attacks.
“Maybe someone didn’t get the pay rise they expected, or one person is earning more than someone else doing the same job, or maybe they feel they are being bullied or mistreated by management,” says Williams. “Giving people the chance to voice any disgruntlement is very important because if they’re not given the opportunity it might fester and that’s where problems can occur.”
Educating employees around appropriate internet and email protocols is also vital. Dale Meredith, Pluralsight author for ethical hacking, says that although companies spend vast sums training staff to keep resources secure, they then fail to implement the necessary training when it comes to data security.
“Employees are complacent, particularly when it comes to password security and personal use of company devices,” says Meredith. “Training plays a vital role in educating the workforce and reinforcing how even the most innocent actions can have very serious consequences for security.”
It’s a view shared by Denise Hudson Lawson, enterprise learning architect EMEA at Pluralsight. “It is crucial to democratise the opportunity and enable everyone to upskill around cyber security,” she says. “Training and education will arm the workforce with the right skills to protect the business.”
One man tasked with providing this training is Vijay Rathour, vice president at digital forensics specialist Stroz Friedberg. He works with businesses to help improve their IT security, and an increasingly popular service is phishing campaign training. “We ask companies what would really test their organisation,” explains Rathour. “We then tailor a series of emails to make them look like material employees might receive, send them out covertly and check the click-through rates.”
Results can be varied – Rathour cites his experience of running a phishing campaign at one 30,000-employee organisation.
“About 60% clicked on the phishing campaign link,” he recalls. “It was such a travesty that the company immediately went back to the drawing board in terms of security.”
Taking a stance
Given the heightened risk of cyber attacks, some companies are taking an even more hardline stance. “One organisation said anyone who clicks on a phishing email three times is going to lose their job,” Rathour says. “A senior executive did and lost his job. It significantly raised sensitivities among employees who thought: ‘They actually mean it, we have to start paying attention’.”
Not every business will feel comfortable adopting such measures, but as a bare minimum organisations need to offer more extensive IT security training, with change driven by senior management and the HR team. It’s not a foolproof strategy – nothing is when it comes to warding off hackers. But it could help companies avoid becoming the next Target.