Spar forced to close stores following a Ransomware Cyber Attack

More than 300 Spar convenience stores have been affected by a significant cyber-attack on its company’s IT systems. Many of these stores have been forced to close until the true extent of the damage can be assessed. Any stores that have managed to stay open are operating on a cash-only basis, due to the damage caused to Spar’s till systems by the attack.

What caused the Spar’s Cyber Attack?

The exact details of exactly how Spar’s systems were compromised is yet to be discovered. However, it has already been disclosed that they had fallen victim to a Ransomware attack. This usually indicates that there has been a successful Phishing attack, or that someone in the network has downloaded a malicious file.

How does a Ransomware attack work?

Ransomware is a form of malware, and the key to its objective lies in the prefix, ‘ransom’. Ransomware infects organisation’s IT infrastructure in much the same way as most Malwares, e.g., through targeted phishing attacks or malicious downloads, and its purpose is to hold the owner to ransom. Users – and indeed entire organisations – are locked out of their systems and told to pay a ransom (usually in hard to trace cryptocurrency) in return for unlocking the device.

Once the ransomware has accessed an organisation’s system, it works to either encrypt the entire system or else targets individual files, depending on the type of Ransomware and the cybercriminal’s intent. Once the files are encrypted, the owner can then be locked out of their system until they either pay the fee or decode the attack. It is worth noting advice here not to pay the ransom, since there is no guarantee the hacker will return access to your system.

Image

What types of Ransomware are there?

The type of threat posed by Ransomware is entirely dependent on the type of Ransomware used to infect an IT system. The two main categories of ransomware are:

Within these categories sit the specific Ransomware methods used. For example, Bad Rabbit and the aptly named WannaCry.

Crypto Ransomware – what is it?

It is a type of malicious programme that encrypts files on a device, such as a phone or laptop, with the goal of extorting money from the owner.

There are 2 ways which crypto ransomware is usually delivered:

  1. Files and links sent via email, instant messaging services or other digital communication channels.
  2. Downloaded onto a device using fake alerts and threats while utilising exploit kits and trojan downloaders.

Email, instant messaging, and digital communications

Emails and messages are sent to the target recipients that contain links/attachments to documents. However, these are not documents, but instead executable programmes that once installed active the crypto ransomware.

These malicious files can look like Word, Excel, ZIP folders, or any other popular email attachment. The email itself does not trigger the infection but opening/downloading the attachments or links does.

Image

Exploit Kits and Trojan Downloaders

Exploit kits can be thought of as digital toolboxes that cyber criminals’ plant on websites. They automatically probe each website visitor for a vulnerability in their security defences. If there is a vulnerability found the exploit kit will automatically download and run the crypto ransomware on the device.

Locker ransomware – what is it?

Locker ransomware is less dangerous, but only if you know how to deal with it. It attacks when an individual visits a compromised website, and it usually only attacks a single device.

A pop-up screen then appears, pretending to be from a well know brand such as Apple, Microsoft, Norton etc, telling the user their system has a virus. It informs the user not to shut it down and provides a telephone number to call to access support. If the user tries to close the pop-up, it returns immediately, locking the user out of the device.

If a user falls for the pop-up and calls the service number a cyber criminal posing as a service technician establishes a remote connection to the device and ask for payment to fix the issue. They may also load other software onto the device as well as try and sell anti-virus software to the user.

In some circumstances users that are not tech savvy may not realise they are being defrauded.

The solution is simple…

The solution is as simple as shutting down the device as soon you get hit by Locker ransomware. Do not make the phone call, and do not pay any fees. Simply shut the device down and reboot it.

How to detect ransomware

The first step to protecting your IT systems is to ensure adequate preventative methods are put in place.

Prevention is made up of two components,: a watchful eye and market-leading security software.

How to build a watchful eye

While most businesses understand the need to be alert to the dangers of cyberattacks, some do not invest in the most basic of defences – knowledge. There is no better preventative measure than ensuring all staff across an organisation understand the types of cyber threats they may be exposed to, how to recognise each of these threats, and what their role is to combat them.

Image

Businesses should have an annually refreshed, mandatory cyber security training programme to ensure employees understand the basics of how to spot and combat cybercrime. This is not only helpful to an organisation’s cyber safety, but it can be applied at home by employees too.

There needs to be a culture of compliance created within the working environment to help develop a watchful eye in every employee within the organisation.

We offer a comprehensive range of Cyber Security and Information Security courses to help your business defend itself again cyber criminals.

Common Ransomware methods once a system infection has started

Once a system has been infected by a download or link click there are some tell-tale signs that individuals should look out for.

Illegal content claims:

  1. Cybercriminals pose as law enforcement or a regulatory body.
    They will claim to have found illegal content on the infected computer and will ask for a penalty fee to be paid.
  2. Unlicensed applications:
    Much like the above, the cybercriminal will ask for a fee to be paid due to an unlicensed programme.

Unfortunately, most of the time, once a system is infected, a cybercriminal will be less shy about ransoming an IT system than the above examples. Much like Spar’s example, businesses systems are shut down with no warning by the attacker. It is critical to use a comprehensive security software package, as well as training staff to be a businesses first line of defence against cyber-attacks.

Cyber Security: Phishing Alert – Email Chain Hacking

Ikea Targeted by a New Phishing Scam

A new type of phishing attack has been uncovered after flat-pack furniture giant, Ikea, launched an internal investigation after noticing several malicious emails circulating throughout the business. Email Chain Hijacking is a new type of phishing scam that takes advantage of a weakness found in Microsoft Exchange servers.

Ikea adequately protected against the attack by encrypting all personal data. However, many other businesses remain vulnerable to this new type of attack.

Image

What is Email Chain Hijacking?

Email Chain Hijacking is a key identifier of the prevalent SquirrelWaffle malspam campaign, which takes advantage of a vulnerability in Microsoft Exchange Servers. SquirrelWaffle malware enables cybercriminals to gain a foothold inside organisations IT systems, allowing them to deploy further system infections such as Quakbot, a well-known banking trojan.

Usually, with phishing attacks, imposter emails attempt to mimic an organisation’s emails and domain. Once an individual clicks on the link, malware is downloaded and the systems are infected. With Email Chain Hijacking, emails are sent via the organisation’s actual servers. Cybercriminals reply to existing email chains and embed malicious links or attachments within them.

Once the hacker has access to an individual’s email system, they find an email chain to use and then reroute the replies to a separate inbox, such as the trash folder. The person’s email they are using never see the replies in the email chain, which means the attack can go untracked for a long time.

This method makes it incredibly difficult for individuals to spot the phishing attack and react since emails don’t just look like they are from their colleague’s email addresses, they actually are.

How can Your Business Protect Against Email Chain Hacking?

There are a number of things to do to guard against an email chain hack. These include:

  1. Ensure all email accounts use security best practices. This includes setting secure passwords and using multi-factor authentication.
  2. Regularly inspect email and inbox settings. Look out for rules that weren’t created by the user that intend to filter replies into a different inbox. If you spot this, contact your IT team immediately.
  3. Disable all Microsoft Office Macros where possible. Macros allow a user to personalise automatic and manual email replies and are a common vehicle of attack.
  4. Ensure your business has a quality and trusted Endpoint Detection and Response (EDR) security provider in place. If an email chain hack is successful, an EDR can stop the malicious code hidden in links and attachments from being executed.
  5. Increase your organisation’s knowledge with comprehensive training designed to increase their awareness of cyber-crime and their responsibilities to protect their organisation.

Image

DeltaNet Cyber Security Collection

We provide a comprehensive collection of courses designed specifically to build awareness, knowledge, and capability to fight cyber-crime such as phishing. You can find out more here.

In addition to this, we have developed a revolutionary Phishing Simulation Tool. The tool allows organisations to test their employees’ resilience against phishing in the real world by staging simulated phishing attacks. You can send fake phishing emails to anyone and everyone in your organisation and report on performance. The Phishing Simulation Tool will make cyber risk owners aware of anyone who has failed the test, allowing for further training to be provided and increasing your organisation’s defences against phishing attacks and cybercrime.

How to prevent employees from being scammed around the holidays

Around the Black Friday and Cyber Monday weekend, employees will undoubtedly be distracted by looking for the latest bargains offered by retail stores both online and in-store. However, due to the ongoing effects of the pandemic, many employees are most likely to be shopping online. This weekend is also an opportunity for many employees to do their Christmas shopping ahead of time.

Unfortunately, this shopping weekend is a lucrative opportunity for cybercriminals to target shoppers, who may fall into the trap of phishing and social engineering scams. According to Kaspersky, online payment fraud surged by 208% between September and October 2021, with 1,935,905 financial phishing attacks disguised as e-payment systems during October.

With many employees also using company devices for personal use, organisations must remind employees on best practices for staying safe and secure online.

Top tips to advise employees:

1) Remind employees of stringent IT policies

Employees must be reminded to follow stringent IT policies, compliance, and to avoid using company-owned devices for personal purchases. While it can be tempting to keep an eye on bargains whilst working, employees should not be doing this on their work laptops or phones, even during break times.

2) Shop smartly

Tell employees to use only trusted websites to shop and use credit cards for payments over a secure connection – remember to check the website starts with “https://”. Don’t forget to monitor bank accounts for any suspicious activity, so banks can be alerted at once if scammers do manage to infiltrate bank accounts.

3) Be aware of phishing scams

Employees need to watch out for phishing and social engineering scams targeting shoppers with bargain prices – always triple check any URLs before clicking on them by hovering over the link. Support employees with phishing awareness training and check their alertness with our phishing simulation tool to truly understand if employees know how to spot a scam.

4) Remember good password hygiene

When logging into accounts for each online retail store, educate employees to use a solid, unique password for each one. Make sure the password contains a minimum of eight characters, a mix of upper- and lower-case letters, numbers and symbols. Good password hygiene will help reduce the likelihood of details being compromised in a data breach.

5) Use added security barriers such as 2FA & MFA

Where possible, teach employees to use two-factor or multi-factor authentication to log into accounts to prevent others from accessing your accounts. If a password has been compromised or cracked by a cyber-criminal, multi-factor authentication requires the hacker to bypass the one-time password, which is usually a code sent via email or text to your number. This second barrier to entry makes it harder for hackers to get it and make purchases on the account.

6) Don’t fall for gimmicks

Employees must remain cautious of ads and prize contests, (which are rife during this period) looking to pull and sell consumer information to third parties. Remind them to not click on anything they don’t trust and appears too good to be true. If in doubt, always check the URL domain.

7) Finally, don’t forget overall device security

It’s vital to keep security updated on all devices, including laptops, tablets and smartphones. Remind employees to use anti-virus software and backup all files. With IT vulnerabilities constantly appearing, employees must continuously update their devices when prompted or told by IT.

Get in touch today to talk to us about how our collection of Information Security Courses can help prevent your employees from being scammed around the holidays and further strengthen your organisation’s cybersecurity risk.

5 of the most expensive phishing scams in history

5 of the most expensive phishing scams in history

Related Courses

Phishing scams are one of the most successful methods cybercriminals use to cause a data breach. According to the 2020 Phishing Attack Landscape Report, 53% of respondents revealed that their organisation has seen an increase in email phishing attacks during the pandemic. Almost a third (30%) said that email phishing attacks have become more successful during this period.
Compared to other cyberattacks, organisations tend to be more susceptible to phishing attacks as phishing scams can easily target any employee. The report found that over a third of respondents (36%) were not confident that employees at their organisations could spot and avoid an email phishing attack in real-time. In addition, 38% of respondents highlighted that over the past year, someone within their organisation has fallen victim to a phishing attack.
With phishing attacks so prevalent in current times, let’s check out five of the biggest phishing scams in history (so far).
1. Facebook & Google – $100 million
The costliest phishing scam in history was with two of the biggest tech giants in the world, Facebook and Google.
The Lithuanian hacker, who targeted them both between 2013 and 2015, impersonated a Taiwan-based company, Quanta Computer, to send an elaborate fake invoice that cost them $100 million. Quanta Computer is an electronics supplier they both use, which is why the scam wasn’t obvious. Google and Facebook both worked with the authorities to recuperate some of the funds. This is a clear example of the importance of analysing all aspects of an email to check its authenticity.
2. Crelan Bank – $75.8 million
In 2016, Belgium-based Crelan Bank lost $75.8 million (approximately €70 million) to fraudsters who compromised the CEO’s email account, tricking an employee into wiring the transfer. The phishing attack was discovered during an internal audit.
This type of spoofing is also known as business email compromise (BEC), which impersonates a company by hacking into a corporate email address and tricking customers, partners or employees to send money or share confidential data. This is a clear reminder for all employees, regardless of seniority, to understand the importance of creating strong passwords that are not used for multiple sites and using other security measures such as multi-factor authentication to improve the company’s security defences.
Image
3. FACC – $55.8 million
Also in 2016, FACC, an Austrian aircraft manufacturer, suffered a similar business email compromise attack, spoofing the CEO’s email account. The cybercriminal instructed an entry-level accounting employee to transfer funds to an account as part of an “acquisition project”. The staff member wired the funds without doing due diligence.
Although FACC recouped around one-fifth of the loss, the company fired and sued the CEO and the CFO for failure to establish internal policies to prevent this from happening.
4. Upsher-Smith Laboratories – $50 million / $39 million
In 2014, a US drug company, Upsher-Smith Laboratories, lost more than $50 million over three weeks. Yet another result of a successful business email compromise attack on the CEO’s email account, which sent emails to an employee in accounts payable to transfer funds.
Luckily, the company recalled one of the wire costs, dropping their loss from $50 million to $39 million (+interest). The drugs firm also sued its bank for making the transfers despite multiple missed “red flags”.
5. Ubiquiti Networks – $46.7 million
Ubiquiti Networks, a US-based computer networking organisation, was swindled out of $46.7 million due to a BEC attack in 2015. The fraudster impersonated the company’s CEO and its lawyer asking the company’s finance department to transfer funds. The FBI (Federal Bureau of Investigation) alerted the company about the attack.
So, what can we learn from these phishing attacks?
A business email compromise is a phenomenally successful type of phishing attack, so employees and organisations must always do their due diligence when a particular email, even if it’s from the CEO, looks ‘phishy’.
Educate employees at all levels on how to spot a phishing email and provide further cybersecurity awareness training. Test your employees by using a Phishing Simulation Tool to launch a fake phishing campaign to your employees. This is a great way to find cybersecurity skills gaps in the organisation, allowing both security & L&D teams to provide focused phishing and security awareness training to those that need refreshing on it.

Related Courses

Phishing Explained: Common Types of Phishing you Need to Know About

Phishing is a type of cyber-crime, in fact it’s one of the most common types of cyber-crime organisations encounter, costing, on average, just under £3M per successful attack.

Phishing works by targeting individuals, or entire organisations, via email, telephone, or text message and posing as a legitimate person/business requesting users to click on links to perform some type of action.

Phishing attacks often ask users to ‘confirm’ and share personal data such as passwords or credit card information, but the links contained in these types of attacks can also download malicious software, such as ransomware, onto the unsuspecting users’ computer.

Common features of phishing

Depending on how sophisticated the scammer is, phishing can take many forms and appear to be from a myriad of legitimate-looking senders. However, there are common characteristics to look out for when spotting phishing attacks:

  • Congratulations! – Often phishing scams are wrapped up the disguise of a lucrative deal or offer intended to grab people’s attention and make them feel excited and/or lucky. You may have ‘won’ a competition or else be offered the chance to invest in a wonderful (but totally fictitious) product. Remember, if it seems too-good-to-be-true, it probably is.
  • Urgency – Phishing scammers don’t want to give you time to think, it’s one of the reasons people at work are more likely to fall for these types of attack – their thoughts are on other important tasks. Cyber-criminals want you to act fast, so if you encounter an email pushing a sense of urgency or insisting you do something ‘immediately’, it’s best to think twice. Legitimate organisations are unlikely to give you little time to act.
  • Links – If you’ve received a message asking you to click on a hyperlink, you can hover over it to view the actual URL it points to. Double check if this URL seems legitimate (is it misspelled? Does it seem to lead to a completely different website from where the source purports to be?). When in doubt, do not click! Visit the source directly and contact their customer team.
  • Attachments – if you spot an unexpected or strangely uncontextual attachment in an email, do not open and delete it immediately. Very often these files contain malware or viruses that automatically download to your device.
  • Beware the sender – Keep an eye on the sender’s name; if you recognise it, ask yourself whether the tone of the email seems unexpected or out of character. If you’re in doubt, contact the person separately and check whether the message is real. If the sender is unknown to you, it’s ok to be suspicious about why they would contact you and how they got your details. If you’re unsure, it’s always best practice to forward the email to your IT department or contact the source directly yourself.

Image

Common types of phishing to look out for

Whilst the goal of any phishing scam is to steal personal/sensitive data, there are many different types of phishing your employees should be aware of:

Email phishing

Not news to many of us, most phishing attacks are sent by email. Here, cyber-criminals register fake domains that impersonate genuine people or organisations, sending hundreds of thousands of generic requests to individuals, hoping just 1 or 2 will succeed in scamming somebody. Usually, the fake domain involves character substitution, e.g., using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’. Alternatively, the criminal may use the impersonated person or organisation’s name in part of the fake email address, hoping it will con a distracted recipient into thinking the address is legitimate.

Spear phishing

Spear phishing is a type of email phishing, but it involves targeting only one specific person or group of people (hence the ‘spear’ symbolism). Cyber-criminals who engage in spear phishing will already have some, or all, of the following information about the victim: name, workplace, job title, email address, information about their job role, social media account information and posts, friends list. This type of information-gathering is a form of social engineering and it works because it allows cyber-criminals to launch more targeted phishing attacks that look and feel more personal and therefore, more genuine. An example of spear phishing would be an email from your ‘manager’ asking you to click a link and complete a genuine-sounding task.

Whaling

Whaling attacks are an even more targeted form of email phishing and are designed to go after the ‘big fish’, e.g. senior management or the ‘C-suite’. Crafted with a solid understanding of business language/tone, whaling is a type of fraud designed to encourage victims to perform a business-related action, e.g. transfer funds or file tax information. Similar to other phishing attacks, whaling is often accompanied by a sense of urgency and preys upon the fact that their target will be busy and stressed-out by the request.

Smishing and vishing

In the instance of both smishing and vishing, telephones replace emails as the vehicle of attack. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation. A common vishing scam, for example, involves a fraudster posing as a bank or credit card representative and informing the victim that their account has been breached. The criminal will then ask the victim to provide payment card details to ‘verify’ their identity or to transfer money into a ‘secure’ account – of course, this account really belongs to the criminal.

Angler phishing

Referring to the ‘hook’ aspect of real fishing, angler phishing is a specific type of phishing attack that exists on social media. Using social platforms, attacks are launched from realistic-looking corporate social media accounts that, in actual fact, exist to post malicious URLS to cloned websites, and which propagate fake posts, tweets, and products. These accounts may also contact followers, urging them to divulge sensitive information or click links to download malware under the guise of a ‘competition’ or similar corporate marketing that mentions specific users.

How effective is your phishing awareness training? It’s easy to find out with our new phishing simulator tool! Click HERE to find out more.

DeltaNet International Launches Phishing Simulation Tool

DeltaNet International, a global eLearning provider of compliance training solutions, has today announced the availability of its Phishing Simulator, to help organisations strengthen their cybersecurity awareness training against phishing attacks.

This solution enables organisations to assess the effectiveness of their cybersecurity education, diagnosing vulnerabilities and identifying urgent skills gaps through realistic phishing simulations.

How likely is your organisation to become the next phishing victim?

The phishing simulation tool can be used simply to test the susceptibility of an organisation to falling victim to a phishing attack, but when combined with follow-up training to close knowledge and risk gaps, users can experience true added value.

The simulator allows users to choose from thousands of phishing email templates, or create new templates specifically for their campaign and fully customise the software based on their brand and requirements. Available direct or through resellers, users can simulate targeted spear-phishing attacks, such as clicking on malicious URLs, and requests for personal information and passwords.

Automatically deploy training to users who ‘fail’ the test

The tool is delivered through the intelligent learning experience platform, Astute, which also makes it easy for businesses to deploy refresher eLearning to employees who ‘fail’ the phishing simulation through its cloud-based platform.

“Regardless of size, every organisation is under threat of phishing attacks and with the headlines constantly announcing the latest breach, it’s high time cybersecurity awareness training became a priority for all employees. All it takes is one click on a malicious link, and it could open your organisation to a cyberattack,” said Darren Hockley, Managing Director at DeltaNet International.

Organisational Resilience

“By simulating an attack, you can test the resilience of the employees within your organisation and then quickly deploy focused training to those employees that need it. This builds organisational resilience to cybersecurity risks and can continually be assessed and measured through multiple campaigns.”

Industry leading online learning content

Benefiting from high-quality eLearning and 20+ Information Security awareness training courses, users of DeltaNet International’s Phishing Simulator can automatically enrol participants who failed the phishing test onto any courses via Astute, or access other company policy documents and eLearning.

Business leaders can measure the effectiveness of the testing by tracking in real-time how employees have reacted to the fake phishing email, allowing security, compliance and HR teams to understand where to provide additional support to mitigate risk and reduce susceptibility to phishing attacks.

Impersonation phishing attacks

“With impersonation phishing attacks becoming increasingly common, we will additionally be working closely with our users to create highly personalised templates designed to test the vulnerability of their employees.

By impersonating considerable levels of familiarity, these emails will test even the most highly aware and vigilant employees, so organisations understand where to prioritise training,” added Jason Stirland, CTO at DeltaNet International.

Image

Data Phishing Scams You Need to be Aware of – June 2021

We had hoped that 2021 would bare little resemblance to 2020, the year everything stood still. While this unfortunately hasn’t been the case, there is one group of people who haven’t been on pause – Phishing Scammers.

During the 2020/2021 global pandemic, the Federal Bureau of Investigation (FBI) reported that phishing scams increased from 114,702 incidents in 2019, to 241,324 in 2020/2021. Alongside this, the scams themselves have become more elaborate and more convincing. So here is a rundown of the phishing scams you need to be aware of in 2021.

Office 365 Phishing Scam

With employees having to spend the last 18 months working from home,, this scam has been developed to mimic a company’s IT department, asking people to respond if they want their details to stay the same on their Office 365 account. Once the individual clicks on the link, the scammer then gets access to their computer. With employees not being able to visit their IT department, this phishing campaign has had some success. So, here is what to look out for to stop it from happening to you:

  • Check the sender email – is this actually your IT department?
  • Is it asking for unusual or personal identifiable information?
  • Bad grammar, or a different tone to usual?
  • Poor quality artwork/logo?

If you spot any of the above are inconsistent, or something smells a bit phishy, then get in touch with your IT team to find out.

Image

Vaccine phishing emails

With the Covid-19 vaccine rollout in place around the world, phishing scammers are taking advantage of people wanting to get their vaccine by sending emails posing as official NHS emails. Things to watch out for:

  • Asking for you to open an attachment to book your vaccine, or to access vaccine appointment details. The official NHS emails will not ask you to do this. Remember, do not click on a link in the email until you are sure it is legitimate.
  • An urgent and/or capitalised subject line. Official vaccine sources are less likely to capitalise their entire subject line, and will appear more professional and less panic-inducing.

Here is an example of what the Covid-19 Vaccine pishing emails look like:

Image

Royal Mail or other courier phishing emails/texts

With the reliance on online shopping during the pandemic, scammers have been exploiting this with fake courier emails and texts. Due to the increasing numbers of parcels being delivered, phishers have been finding success in sending missed delivery, or shipping fee emails/texts with phishing links attached. Most of the time, people are waiting for a delivery, so this can seem legitimate. Some things to look out for:

  • A missed delivery email/text when you haven’t ordered anything. These emails/texts work by scaring you to think someone has ordered something on your behalf, making you click on the link. A tip is to check your bank first, have there been any unusual transactions? If not, then contact the Royal Mail (or the other dedicated courier) on their dedicated scam helpline ([email protected]). They will be able to confirm if it is genuine, or a scam.
  • ‘Unpaid shipping costs for your package’ – these are less believable, but they do sometimes catch people off guard. After all, you only have to click on the link, and with more people ordering from international sellers, shipping costs/tariffs is becoming more of an issue.

If you receive these kinds of communications, do the usual checks. Does this email look genuine? Does it have bad grammar? Who is the sender? If you are still unsure, contact the courier directly.

While these are some of the trending phishing scams over the past year, they are not the only ones being used. The sad reality is that new phishing techniques will be developed every day. However, there are things you can do to protect yourself and your business.

Click here for our tips on how to spot a phishing email, and here to help your business develop knowledge on cyber security and phishing with our Cyber Security eLearning collection.

Image

How to Measure the Effectiveness of your Cyber Security Training

After spending time and effort deciding upon the right cyber-security training solutions provider, agreeing and implementing said training, and then overseeing the roll-out with employees, you’d be surprised how often businesses drop the ball when it comes to measuring the fruits of their labour.

If you don’t measure the results, though, how can you know for sure the training is working? How do you know you’re doing enough to protect your company?

The good news is, you’re reading this article! So, here are some key principles and useful tools to bear in mind when measuring the effectiveness of your cyber-security training:

Identify skills gaps

Skills gaps are deficiencies in performance caused by lack of skills for, or knowledge about, the workplace (for instance, keeping business information secure).

In the short term, the goal of training is to bridge these gaps through a series of learning interventions; the desired outcome here being the mitigation of their effect upon business performance and metrics.

In the long term, however, your training solution should seek to identify and rectify the root causes of such gaps and help to improve processes around these areas. In other words: to remove the gap from occurring in the first place.

To achieve both these long and short term goals (and to measure their progress over time) you’ll need access to information, and that’s why it’s important to …

Test your employees

Did you know that the latest cyber-attack trend data for the UK shows the majority of data breaches began with a phishing attack?

Every day 156 million phishing emails are sent and 16 million of these get through security filters into inboxes.

What’s more, 8 million phishing emails are opened and 800,000 malicious links in those emails are clicked.

80,000 recipients fall for phishing scams every. Single. Day.

One surefire way to test if your cyber-security awareness training is hitting the mark is to test it – and not only by using knowledge-based quizzes and surveys. Rather, software such as phishing simulators can be used to conduct fake phishing attacks within your company – across a range of different industries and targeting specific audiences (e.g. aimed a C-suite, aimed at finance, fake social media accounts, and so on).

By integrating tools like phishing simulators into a Learning Management System (such as the one your eLearning is hosted on) it’s easy to see campaign reports (open rates, click rates, deletion figures, etc..) and diagnose which employees require further training and reinforcement activities straight away.

Image

Up your reporting game

xAPI (or Experience API) is a file format for storing and retrieving all the data from your learning experience in the form a data-based ‘statements’. These are then stored inside a Learning Record Store (LRS) for each employee.

Using xAPI, then, it’s easy to collect and anaylse data from a whole range of learning experiences (even those carried-out outside a browser; mobile apps and so forth) and – when it comes to learning analytics – this is great news! It means we have the ability to track employee progress over time, monitor performance pre- and post-assessment, and measure engagement across entire programs of learning.

These insights build a real picture about the effectiveness of your chosen training solution and, when used alongside an intelligent learning platform, can be used to create targeted learning journeys designed to fill any gaps in knowledge and increase the training’s potency.

Check your culture

Admittedly, measuring a compliance culture seems rather difficult, but that’s not to say it’s impossible! Businesses might use anonymous surveys, for example, to measure attitudes, behaviors, and employee impressions – these answers can be very useful when it comes to giving an idea of why people continue to take risky actions (e.g. using overly-simple passwords or leaving screens unlocked) despite having had training against this.

Measuring employee impressions in this manner is useful information to have, particularly before you embark on a new cyber-security training program, as it can be used to measure behavioural change and attitudes along the way.

Insights over time, such as how employees react when observing and/or reporting cyber-security incidents, how they view the ‘tone from the top’ (i.e. management commitment) when it comes to cyber-security measures, as well as whether they feel compliance is communicated effectively and how engaging their training is, can prove invaluable when it comes to the nitty gritty of your training’s efficacy.

After all, qualitative insights from surveys can help you change behaviours and reduce risks – but it’s important to note that finding an overall quantitative cultural metric is equally important. It’s only through quantitative metrics that behavioural improvements can really be measured and sought.

How to spot a phishing email

According to Verizon’s latest report, 36% of breaches involved phishing attacks, an increase of 11% in comparison to the previous year. Due to the pandemic and more employees working remotely, cyberattackers have used this to increase their phishing campaigns to organisations and their employees. All it takes is for one employee to click on a link in a phishing email for them or the organisation to fall victim.

That is why organisations must support their employees with cybersecurity awareness training and helping their employees understand cybersecurity foundations such as how to spot a phishing email. In this blog, we share some top tips on how your employees can spot a phishing email, helping to strengthen your organisation with its cybersecurity strategy.

1 – Check the email address of the sender

If you spot an email and the display name looks familiar or from a brand you trust, it doesn’t mean it is them. Be sure to check the actual email address is from a trusted sender. Phishing scams impersonate a person or a company you trust, e.g., TV licence phishing, Amazon phishing or more recently Covid-related phishing.

Sometimes a phishing email may come from an address such as [email protected] or [email protected] – trusted senders would not send it from a generic email such as Hotmail, Gmail or Yahoo!, instead a verified email would be from their domain name. In the second instance, having a domain name that looks similar, but is slightly misspelt, is another way of fooling you into believing they are a trusted source.

2 – Detect spelling and grammar errors

While this may sound strange, spam emails often have spelling mistakes or grammatical errors. Cyberattackers really aren’t worried if their spelling or grammar is correct.

Read the email thoroughly and be suspicious of any errors. If the email is poorly written, then it’s not from the company they are impersonating. If in doubt, always forward the email to your IT team. But NEVER follow through on the actions requested in the email.

Image

3 – Beware of how the email sender greets you

Is the email greeting impersonal? E.g. Dear reader, Hello Sir/Madam. Or perhaps it fails to recognise your name entirely, e.g., Hi [first name]?

If a trusted source is emailing you, e.g. your bank, they will address you personally. Don’t fall for the trick, mark the email as spam and delete the email. Even better, forward it to your IT team, so they can warn everyone in your organisation of phishing scams targeting your organisation.

4 – Do not share personal information

Are you asked for personal information such as your bank details or security details? Remember, genuine companies such as your bank will NEVER ask you to confirm that over email. They already know that information. Don’t share anything.

5 – Do not click on suspicious links or attachments

Cyberattackers love luring in their victims through links, for example, “validate your email address or account”. Always hover over a link to check the linking URL, if it looks suspicious or doesn’t link to what the rest of the email says – don’t click on it! The same goes for attachments, if you’re not expecting an email with an attachment and if the email is out of context – then don’t open it!

Phishing emails are there to incite curiosity or panic to get hold of a vulnerable employee who will open your organisation to the cyberattacker. It’s important to continuously remind and educate staff throughout the year with phishing training and other cybersecurity awareness training to ensure everyone stays alert on what to look out for, so they don’t get caught.

Organisations can use a phishing simulator tool to increase the security awareness of their employees. By regularly testing employees, organisations can ensure they remain alert, asking themselves if an email is legitimate or spam. Using this technique also helps L&D and security teams understand who in the organisation might need some extra training or support.