Recession and the Role of Cybersecurity

Last year, the US saw inflation rates surge to a four-decade high, prompting the Federal Reserve to set off on a series of interest rate hikes. Adding to the uncertainty, the US stock market became far more volatile, leading to layoffs and threatening cybersecurity budgets.

The threat of recession couples with higher interest rates affects everybody. It’s especially hard for employees. Finally, a mind preoccupied about money is more likely to lower cyber awareness and create an environment for mistakes.

Hackers thrive in that environment.

As businesses scrutinize every aspect of spending, they are apt to view cybersecurity programs as nice-to-haves. But the stakes are too high for that.

The Rising Tide of Cyber Threats in Economic Downturns

Graph showing recession

Economic downturns have historically been accompanied by a surge in criminal activities, which translates to an increase in cyber attacks. As businesses reduce spending on security infrastructure and training, cybercriminals become more opportunistic. They see an ideal time to strike. 

As your organization prepares for financial turbulence, there are three threats to watch for

Recession Driven Vulnerabilities

Because cybersecurity investments are tied to the goal of “nothing happening,” these expenses become harder to justify. Reductions in staff or resources allocated to cybersecurity create weaknesses in the organization's defenses. Saving money equates to more exposure, which can lead to catastrophic expenses.

Increased Phishing Attempts 

During recessions, there's a noticeable uptick in phishing. Fraudsters exploit people's anxieties about financial stability, offering fake job opportunities or feigning as financial aid entities to trick individuals into revealing sensitive information.

Insider Threats Amplify

With potential layoffs and employee dissatisfaction on the rise during economic downturns, the risk of insider threats escalates. Disgruntled employees can resort to selling corporate data on the side.

In light of these threats, recessions are not the time to cut corners on cybersecurity awareness and training. In fact, now is the time to position your team as cybersecurity experts who are here to help employees keep the company and family members safe online.

Cybersecurity Awareness: An Investment, Not a Cost

Compromises in cybersecurity can be catastrophic for a company’s finances and reputation. Remember: 

  1. An Educated Employee is a Digital Fortress: Regular engagement with your workforce ensures employees can spot the signs of phishing emails and suspicious system activities, making it harder for cybercriminals to gain a foothold. Give them a safe, easy way to communicate with your team.
  1. Cost of a Breach vs. Training: Expenses associated with a significant data breach are monumental, outweighing the investment in proactive cybersecurity training.
  1. Maintaining Trust in Uncertain Times: In an era where trust influences brand loyalty, ensuring customer data is secure can differentiate a business from competitors. 

The Proactive Approach: Cybersecurity Awareness as a Pillar of Stability

Is a recession coming? Maybe. But uncertainty is here now. It is time to be proactive.

Prepare your employees and keep cybersecurity on top of their minds, going beyond annual training

A terrific way to maintain vigilance and awareness is to engage employees constantly with topical, relatable videos, quizzes, instructional PDFs, posters, and breaking cyber news.

Aware Force delivers incredibly effective cybersecurity awareness resources. Our Cybersecurity Library and Employee Newsletter ensure your team remains informed, vigilant, and prepared.

Conclusion: The time to act is now

Employee cybersecurity engagement is non-negotiable. Recession or not, threats are on the rise.

Engage your employees in cybersecurity throughout the year with content branded for your company from Aware Force.

Check our Cybersecurity Newsletter page to know more or connect with us, and you'll see why organizations across the US and Canada use outstanding cybersecurity content — customized and branded — and delivered by Aware Force.

Case study: How a Man-in-the-middle attack caused over $700 million in losses!

It looks like something out of a movie. But this is as real as it gets: the cautionary tale of how criminals exploited a patched vulnerability to deploy a man-in-the-middle attack to gain access to multiple databases of one of America’s biggest credit reporting agencies and steal the personal information of 147 million citizens.

This is a great case study. We’re including a brief recap on man-in-the-middle attacks, but you can skip to the meat and bones.

What is a Man-in-the-middle Attack?

Man-in-the-middle (MITM) is a type of cyber attack in which an unauthorized party intercepts communication between two entities without their knowledge and insert themselves in the “middle” of the transfer. The attackers listen and manipulate information being exchanged, allowing them to steal information and send malicious links while remaining undetected.

It's like a devious translator modifying conversation between two individuals who speak different languages.

Example of a Man-in-the-middle Attack

MitM attacks are a type of session hijacking where hackers exploit real-time conversations or data transfers by breaking the original link and inserting themselves in the middle. There are different ways to implement such attacks, and here’s an example in 2 steps:

Step 1: Breaking the link

Example of a Man-in-the-middle Attack

Step 2: The devious mediation

Example of a Man-in-the-middle Attack, communications flow

How Does a Man-in-the-middle Attack Occur?

MITM attacks can be carried out in a variety of ways, but some of the most common methods include:

The Equifax Breach: A Deep Dive

In 2017, the personal data of hundreds of millions of people was stolen from Equifax, one of the three big credit reporting agencies that assess the financial health of nearly adult in the US.  

Exploiting the Vulnerability: Apache Struts at the Center

The origin of the Equifax crisis can be traced to March 2017 when a critical vulnerability, identified as CVE-2017-5638, emerged in the open-source web application framework Apache Struts. This framework, heavily embedded within Equifax's operations, would become the initial infiltration point. 

Note for CISOs: Patches for this vulnerability were available, but Equifax lagged in installing the security updates.

Attack Vector: A Closer Look at the Man-in-the-middle Methodology

The attackers capitalized on the unpatched Struts vulnerability, initiating their assault via a consumer complaint web portal. But what transforms this from an intrusion to a man-in-the-middle attack is the subsequent deployment of a malicious Java application, masquerading as a legitimate Equifax tool. As customers interfaced with what they believed to be an authentic Equifax application, their data traffic was being intercepted and manipulated in real time, granting attackers unprecedented access to sensitive data.

Stolen data included consumers’ names, addresses, dates of birth, social security numbers, and credit card numbers.

Note for CISOs: The systems weren't adequately segmented from one another, allowing the attackers to move from the infected web portal to multiple servers and databases.

Operational and Management Lapses: Equifax’s Missteps

In hindsight, Equifax's response was riddled with questionable decisions. The six-week delay in disclosing the breach after its discovery is a reminder of the reputational ramifications of slow response strategies. But that was one of many missteps. Internally, Equifax missed crucial clues. 

Note for CISOS: A CISO would immediately identify the absent security layers: unencrypted sensitive data, a lack of multi-factor authentication, and the delay in patching a known vulnerability.

Broader Implications: Beyond Just a Data Breach

While the immediate fallout of the breach centers around stolen personal information of over 147 million Americans, the damages went much further. The breach is a tale of technical vulnerabilities and exploitation and underscores systemic issues within the management of Credit Reporting Agencies (CRAs)

Conclusions on the Equifax Breach: Beyond Technical Lapses

The Equifax breach is an alarming testament to how a seemingly minor technical oversight can spiral into a catastrophe. While the breach was facilitated by a failure to patch known software vulnerabilities, the subsequent mishandling further amplified its effects.

Ultimately, this breach cost Equifax over $700 million in damages, including the cost of investigation, fixing damages, and compensating customers.

Of course, the impact of such a breach extends way past the dollar signs: 

Final Note to CISOS

MITM attacks prey on technical and human vulnerabilities. It's a reminder that our network infrastructures are only as robust as the least informed employee with access.

While technical defenses like encryption, multi-factor authentication, and diligent patching are critical, an educated and vigilant workforce serves as a formidable first line of defense.

Here are a couple of things to reinforce with your team:

CISOs and cybersecurity teams are under tremendous pressure, often competing for qualified employees. While there are outstanding technical tools to test and track employees’ cybersecurity prowess, the key to engaging employees isn’t automation. It’s actionable videos, quizzes, infographics, the latest cyber news, and answers to common questions written in a style they can understand and share with their families.

It’s easy to use and cost-effective. And it’s branded and customized so all the content comes from the IT team. That’s the Aware Force business model that generates unsolicited praise from employees and fierce loyalty from our customers. Check out our extensive cyber library and our terrific twice-monthly cybersecurity newsletter — all branded for you.   

Cybersecurity Awareness Month Special: Cybersecurity by the Numbers

October Cybersecurity Awareness Month is here. You can make the most of it without requiring a big investment of your time.

2023 marks an important milestone in cybersecurity: this is the year artificial intelligence exploded in popularity, revolutionizing our lives with breakthroughs in education, health care, entertainment, and so many others. It also introduced sophisticated threats designed to outsmart traditional security measures.

While some of us are delighted with the potential for ChatGPT’ to write essays and blog articles, hackers are feasting on other tools like FraudGPT, a tool designed for cybercrime that uses a powerful language model to generate realistic and coherent text based on user prompts, for use in phishing emails, malware code, hacking guides, and fake identities.

Are you prepared to communicate what’s happening with your team? In our experience, many companies are not. They’re banning the use of AI tools in the workplace and shying away from educating employees until they have policies in place. 

To help your team take advantage of Cybersecurity Awareness Month, we’ve prepared an infographic to shed light on revealing cybersecurity statistics.

Cybersecurity Awareness Month: A glimpse into today's digital threat landscape.

Unsettling Cybersecurity Statistics for 2023

Cyber Attacks are Increasingly Common

Cybersecurity Graphic: A cyber attack happens every 39seconds

Even with more sophisticated tools to combat hacking, cybercrime is on the rise. A cyberattack now takes place every 39 seconds

While that pace is concerning, financial consequences are even more so. A small to medium size business can be forced to fold after an attack.

The Cost of Data Breaches is Rising

Infographic Cybersecurity by the numbers: graph showing the average cost of cyber attacks in 2023 is U$ 4.45 million.

Total damage from cyberattacks escalated to $6 trillion last year and is expected to cost the world $8 trillion this year. The average cost of a single data breach is now $4.45 million.

The sophistication of cyber breaches also poses a challenge. It still takes several months for a company to realize an attack has occurred. Most organizations are taking longer than they should to identify hacks (more on that later).

Cyber Threats Take Time to Detect and Contain

Infographic Cybersecurity by the numbers: average time to detect and contain a data breach is 287 days

Timely detection and containment are crucial. It took an average of 287 days to identify and contain a data breach two years ago. Today, on average, the lag time is over 100 days.

This delay in breach detection underlines the ways cyberattacks lie dormant or mimic regular operations. The stats prove the need for continuous monitoring and advanced threat detection.

Your Gatekeepers are not Keeping Up With it

 Infographic Cybersecurity by the numbers: 88% of all data breaches can be traced back to employee mistakes

One key fact your team can influence with minimal investment: your workforce is inadvertantly leaving the door open to hackers.

88% of all data breaches can be traced back to employee mistakes

Are they doing it maliciously? Mostly, no. Insider threat is a considerable risk, most employees are willing to engage in cybersecurity. However, they need to be engages with content that is easy to understand, topical, and non-threatening. Most companies still aren’t doing that very well. 

Phishing Dominates the Cyber Threat Landscape

Infographic Cybersecurity by the numbers: anatomy of cyber attacks

Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched!

Over a third of the respondents to a Ponemon Institute study said they knew their systems were vulnerable prior to an attack and chose not to patch it immediately. 

The reason? Most CIOs and CISOs explain that they are concerned about interrupting operations. 

This delay in the name of business continuity makes the effects of cyber attacks even more devastating. And even with the well-established risks, many companies don't have dedicated cybersecurity personnel.

Business Preparedness: A Bleak Picture

Infographic Cybersecurity by the numbers: business preparedness.

The current state of readiness in the face of cyber threats is lacking. 

Companies should be strongholds against hackers

Organizations — regardless of their size — should have a bunker mentality about cybersecurity. Inside their walls are their crown jewels: customer and employee data, IP, and their competitive and financal plans.

Truth is, organizations of all sizes are ill-equipped to handle the inevitable. There aren’t modern tools in place, and employees who should be helping are unaware of how to do it.

All while thousands of enemies are at the moat, finding new ways to penetrate defenses.

And yes, in some cases, the enemy is inside the perimeter, whether for personal gain or out of sheer ignorance.

What is the takeaway of all this information?

These cybersecurity stats underscore the urgency of bolstering digital defenses.

October Cybersecurity Awareness Month is a great time for organizations to evaluate, adapt, and enhance cybersecurity beginning with the largest attack surface: the workforce. 

Take a proactive stand this October. Check out the extensive Aware Force Cyber Library featuring videos, quizzes, posters, one-sheets, and infographics, all geared to your employees with interesting, actionable information — and every one of them branded for your organization. 

Aware Force is cybersecurity defined. 

Annual Cybersecurity Training vs. Year-Round Cyber Security Awareness: Which is Better?

I have worked for not one, but three Fortune 500 companies, and the approach to cybersecurity training is typically as follows:

Once the training is over, you drag yourself back to the office, and by the time you've sat down, it feels like half of all that information is GONE!

A Snapshot of Traditional Cybersecurity Training

This is how employee training is usually delivered in the corporate universe: organizations carve out a designated period once a year, during which employees are ushered through a series of presentations, workshops, or even online courses.

Annual cybersecurity training aims to educate employees about the latest cyber threats and equip them with the necessary knowledge to counter these risks.

Traditionally, the training will cover a wide array of security topics, from phishing scams and malware to more sophisticated threats like ransomware. It should also delve into various best practices for password management, secure browsing, sensitive data handling, etc.

While having its merits, this approach also has significant drawbacks, most noticeably its static nature.

Employees tend to leave these training sessions with a false sense of competence, believing they are ready to perform their tasks while diligently protecting the company. 

Well, suffice it to say that their belief is far from reality, and criminals are eager to test them.

Remember: Cyber threats evolve rapidly, and hackers always find innovative ways to exploit vulnerabilities. Training material that was up-to-date at the beginning of the year might be obsolete within months. This volatility puts not only employees but the entire organization at risk.

The Challenge with Retention

The key hurdle with traditional, annual cybersecurity training is the challenge posed by the human's brain limited capacity to retain vast amounts of information. Cognitive psychology and neuroscience constantly remind us of this constraint.

This phenomenon is referred to as "the forgetting curve" and was demonstrated by German psychologist Hermann Ebbinghaus, who found that a significant amount of newly learned information is forgotten within just a few days unless the learner actively reviews the material.

In the context of cybersecurity, this means employees are likely to forget a good deal of their annual training long before the year is out.

In addition, different individuals absorb and retain information at varying paces, which the non-recurring nature of annual training doesn't account for. Some employees may need more time or repetitions to fully understand a concept and commit it to memory. Without the flexibility to cater to these individual learning needs, the efficacy of the training is likely compromised.

When you compile these factors, it is noticeable that the annual cybersecurity training/workshop model needs to be revised, for it lacks the necessary frequency and flexibility to ensure effective long-term retention and application of cybersecurity knowledge.

The Case for Year-Round Cyber Security Awareness

Contrary to annual training, year-round awareness fosters consistent engagement and learning, making it a more dynamic and effective approach. Here's why:

  1. Allows for regular reinforcement of critical cybersecurity concepts, applying the "spaced repetition" principle to combat the "forgetting curve."
  2. Employs diverse learning formats such as videos, quizzes, newsletters, or bite-sized articles, catering to different learning styles.
  3. Keeps pace with the dynamic nature of cyber threats, ensuring employees have the most current knowledge at their fingertips.

In essence, a year-round approach nurtures a proactive security culture. By keeping cybersecurity top of mind, it helps employees become active participants in the organization's security framework, resulting in heightened vigilance, better threat detection, and quicker response times.

It's all about conditioning employees to respond to cyber threats and cultivating an environment where cybersecurity becomes second nature.

The Advantages of Constant Engagement

Continuous engagement in cybersecurity, like the Aware Force e-newsletter, offers a wide array of advantages, especially compared to traditional one-time training sessions. Here are some of the key benefits:

So, which option should you pick?

Whether to conduct an annual cybersecurity training or facilitate year-round awareness doesn't need to be a binary choice. Combining the strengths of both is likely to be the best way to equip employees with the knowledge they need to protect themselves, the organization, and their families.

Again, the yearly workshop is valuable, as it provides a structured opportunity to dive deep into key cybersecurity concepts. At the same time, year-round awareness continuously reinforces this knowledge, keeping it fresh and relevant.

We have the perfect solution if you’re considering taking cybersecurity to a whole new level within your organization.

Engage your employees in cybersecurity all year long with content branded for your company from Aware Force. Check our Cybersecurity Newsletter page to know more or connect with us, and you'll see why organizations across the US and Canada use outstanding cybersecurity content — branded for them — and delivered by Aware Force.

Look-alike domains: a Sneaky Cybersecurity Threat

Deceptively simple and almost imperceptible: look-alike domains are designed to trick the user’s eyes by mimicking URLs of trustworthy websites. After luring the prey into a fake website, the foundation for a series of other cyber threats is established.

The domain can be used to create a phishing website or even launch attacks such as Business Email Compromise (BEC) or ransomware with a small likelihood of being flagged by email security software. Since these domains are legitimately registered and technically aren’t doing anything unsanctioned, emails coming from them will pass through any authentication.

Look closer: it’s in the details

Take a look at these two mockup pages. Can you spot what is wrong? Can you tell which one is a look-alike domain?

Homographs and look-alike domains are among cyber criminals' sneakiest forms of attacks. They are geared to trick the untrained eye. 

In this example, the second domain is the correct one for our mockup bank website. The first one, however, had the Latin "a" replaced by a Cyrillic letter that looks very similar.

Could you spot the difference? Would your team be able to?

Warning: Your Brain is Being Hacked

The human factor, yes! I know, we’re always coming back to it. But here’s the truth: our brains are simply not wired to read letter by letter. We see words as a whole. We look for patterns and try to anticipate the results.

Here’s a classic example, try reading this:

Easy, right?! Even though the letters themselves are shuffled, you are still absolutely capable of reading the entire paragraph as if it was written correctly.

Hackers know this, and use it against you. Remember that “Brain Games” show on National Geographic?! Well, they watched the whole thing and took notes.

This is called Typoglycemia. It suggests people can read scrambled words as long as the first and last letters are in the right place.

How homographs are employed to trick users

In April 2017, Xudong Zheng, a security enthusiast based in New York, discovered a flaw in how browsers handle international domain names.

He created and registered a mock-up page for apple.com to demonstrate this flaw. However, instead of using the Latin letters we know, his domain was written in pure Cyrillic characters

Although the domain he used looks indistinguishable from apple.com, it is a fake website that could be used to trick users into visiting it.

Zheng's page is an example of an internationalized domain name (IDN) homograph attack, where a threat actor creates and registers one or several fake domains using at least one lookalike character from a different language. Although computers read these letters differently, to the human eye, these Cyrillic glyphs can easily be confused with their Latin counterparts. 

The following table shows the different hex codes assigned to them:

This particular attack can be highly successful and dangerous if used in the wild, not only undermining a company's reputation but also threatening the trust of its customers, employees, and stakeholders.

Spotting a Look-alike Domain: Anatomy of an Attack

In a look-alike domain scam, the perpetrator creates a visually similar URL to that of a trusted entity. They often use common typing errors or replace characters with visually similar ones. For instance, replacing "m" with "rn" ("grnail.com" instead of "gmail.com"). These differences can be virtually unnoticeable, particularly on a mobile device or in a hastily read email. 

Take a look at some examples for amazon.com :

And here are two more examples of a fictionalbank.com :

Now, let's walk through the typical steps in a look-alike domain attack.

Setting the Trap: A Deceptive Domain

The criminals will set up a deceptive domain, mimicking a trusted entity. The domain can be for a well-known brand, a bank, a government agency, or an internal company system.

For example, someone trying to impersonate Amazon could create the domain:

Instead of:

The Phishing Bait: An Urgent Email or Message

With the deceptive domain live, the cybercriminal sends out phishing emails or messages. 

These may pose as notifications, updates, or urgent requests, designed to trick the recipient into clicking the deceptive link. Urgent and threatening messages are social tactics to heighten the chances of an unattentive user taking the bait.

The Catch: Data Theft

Once a victim clicks on the link and provides their login credentials or other sensitive information, the fraudster can then use this data for various malicious activities, such as identity theft, financial fraud, or launching further attacks within a company network.

Staying Safe Against Domain Lookalike Scams

This might be a hard to swallow pill but the truth is: your first and strongest line of defense a company has against threats like these are its employees. Software can only go so far.

A few defensive measures to be considered to stay safe:

Conclusion: Ongoing cybersecurity awareness is key

Look-alike domain attacks will likely remain a preferred strategy since they excel at tricking even the most vigilant among us. These threats are not simply an IT problem; they are an enterprise-wide concern, requiring active participation from everyone within the organization.

Many of these breaches are linked by a common factor: complacency.

Employees may let their guard down and become less attentive about cybersecurity when it is not a top priority in their daily tasks. The false sense of safety caused by the reliance on software solutions might be the opening cybercriminals are looking for.

Building a strong defense requires constant vigilance, education, and awareness. Reinforcing the importance of these cybersecurity issues and providing continuous training helps embed safe practices into the daily routines of employees, making them the first line of defense against such attacks.

Summer is here: how employees should prepare for a cyber-safe vacation

Here’s an opportunity for cybersecurity teams to do good:

Advise employees how to plan for a cyber-safe summer vacation.

According to Travel Agent Central, 85% of Americans will go somewhere this summer. For cybersecurity teams, vacations are a terrific time to engage employees in cyber safety. 

Aware Force has been creating cybersecurity content — branded and tailored for each of our clients — for over seven years, and we understand how vacation cyber safety is evolving. This is your opportunity to be the hero and provide them with a printed checklist to keep electronic devices safe

The cyber-safe summer checklist

Keep it simple and divide that checklist into three columns.

Column #1: steps to take before departing. 

Column #2: While they’re on vacation. 

#3: When they’re back home.

Cyber crooks are taking no vacation

20% of travelers will be victims of some form of cybercrime on vacation this year. Summer vacations are a terrific time to remind your workforce that your cybersecurity team safeguards employees and families year-round. 

To help you and your team prepare to embrace the summer and plan your vacations, we’ve put together a comprehensive poster detailing steps for a cyber-safe holiday. Click the image below to download it for free and share it with your team.

You can also explore our extensive cyber library for content tailored to your specific needs, where you can find many other holiday-related cybersecurity resources to share with your team. 

Enjoy your summer and stay cyber safe!"

The Evolution of the CISO 

In 1990, 3 million people globally had Internet access — accessing the web at an average of 14K per second. A Windows update took several days to download. The first ransomware attack had just occurred. It would be four years before Citigroup created the first CISO position.

By the early 2000s, the CISO was a relatively minor position at most organizations, usually reporting to the CIO. In a few companies, the org chart had the CISO reporting to the CFO — or even HR. Well into the 2010s, most didn’t have a seat at the senior executive table, and most had to fight for a meaningful budget. 

The CISO was among the first to ship out if the organization suffered a breach. 

An Ever-Expanding Scope of Responsibilities

Today's CISOs are expected to understand the intricacies of digital threats, the broader business landscape in which those threats exist, and how they impact the company. In many organizations, the CIO now reports to the CISO. 

If a CISO hasn’t been on the wrong end of a breach, potential employers wonder why not. One organization we follow assigns the CISO to work with major clients to help ensure the safety of the client’s organization.

CISOs require a balance of technical and soft skills to ensure the success of a company’s security strategies and their alignment with long-term goals. Moreover, CISOs are tasked with fostering a culture of shared ownership and cyber risk awareness within their organization

Their responsibilities encompass everything from managing security technologies to overseeing compliance with regulations, coordinating incident response efforts, and cultivating a security-focused culture within the organization. According to a ThreatTrack survey, 47% of CISOs now report to a CEO or board of directors [1].

Now, many CISOs have direct access to the board, sometimes without other executives present. 

Positioning the CISO closer to the CEO and board of directors ensures that data security remains a top priority for the organization. At Aware Force, we have provided some of the CISOs we work with access to customized presentation materials designed to resonate with board members. 

According to the U.S. Bureau of Labor Statistics, the employment of information security analysts (a category that includes CISOs) is projected to grow 31% from 2021 to 2031 [3], faster than the average for all occupations. According to a report by Cybersecurity Ventures, there were 3.5 million unfilled cybersecurity jobs globally in 2021, a void that will likely remain until 2025. 

What makes a great CISO?

Back in September 2020, a Gartner survey revealed that only 12% of CISOs are considered “Highly Effective”[4], indicating a lot of room to improve.

Gartner’s survey measured CISO’s effectiveness index, which is determined by its ability to execute against a set of outcomes in four categories: functional leadership, information security service delivery, scaled governance, and enterprise responsiveness.

Five behaviors of the top performing CISOs

Executive search and leadership advisory firm Marlin Hawk says today’s CISOs are taking responsibilities that have traditionally fallen solely to the CIO. The biggest which is serving as the primary intermediary between the tech units and the wider business, including the board, stakeholders, and customers. As a result, CISOs must be able to communicate with individuals at every level of the company adeptly. 

Five behaviors demonstrated by the top-performing CISOs, according to Gartner:

  1. Initiate discussions on evolving norms to stay ahead of threats.
  2. Prioritize keeping decision-makers aware of current and potential future risks.
  3. Proactively engaging in securing emerging technologies.
  4. Have a formal and actionable succession plan.
  5. Define risk appetite through collaboration with senior business decision-makers.

The CISO of the Future and Key Takeaways

The profession's future involves being business savvy and having strong leadership skills. They must be comfortable engaging with boards and other C-suite executives and communicating complex security concepts in accessible language.

CISOs are responsible for being a beacon of knowledge and leadership, analog to a seasoned commander leading an army of vigilant and proactive employees - the first line of defense against cyber threats. 

Like a strategist, the CISO mobilizes the troops and empowers them with the necessary tools.

Finally, the key to engaging the organization’s employees providing relevant, actionable content year-round. 

If you’d like to know more about how Aware Force clients are doing that, check our Cybersecurity Newsletter page or connect with us, and in 15 minutes, you'll see why Aware Force has raving fans across North America.

Read More

[1] No Respect. Chief Information Security Officers Misunderstood and Underappreciated by Their C-Level Peers, Threat Track Security, www.ten-inc.com/presentations/ThreatTrack-The-Role-of-the-CISO.PDF

[2] The new CISO: Leading the strategic security organization | Deloitte Insights

[3] www.bls.gov

[4] Gartner, https://www.gartner.com/en/newsroom/press-releases/2020-09-17-gartner-survey-reveals-only-12-percent-of-cisos-are-considered-highly-effective

The good old days: cybersecurity awareness used to be so much simpler

June 29, 2007: Apple introduced the iPhone, and workforce cybersecurity changed forever. 

Even the experts didn’t see the coming revolution. I hosted a cybersecurity event for CISOs in New York that evening. At one point, I walked through the audience with a mic asking CISOs to discuss challenges in protecting their organizations. One cyber exec mentioned the new iPhone, unveiled that afternoon. “No way that thing is getting access to my network.” 

I saw the same CISO at a follow-up event in September and had to ask how things were going. He admitted, “The next week, my CEO told me to set up his new iPhone so he could use it anywhere.” It was the beginning of BYOD and WFH…and the next stage of cyber chaos.

Here’s why it’s more complicated than ever to engage employees

The fact is that most employees are far more sophisticated about cybersecurity than in those pre-iPhone days. They’re worried about protecting their kids and their aging parents. Most are aware of cyber basics. They just need to be informed of the latest threats in a language they can relate to. 

Are you doing that? It’s interesting to note what the Wall Street Journal concluded this week. One of the main tactics cyber professionals use to inform employees about cyber risks — company-delivered phishing emails designed to test and trap employees — doesn’t work.  

“When it comes to actually getting employees to resist future phishing attacks, these campaigns aren’t that effective. While early research suggested that phishing simulations could reduce click rates on subsequent fake phishing emails by about 50%, more recent studies in more realistic settings and with larger groups found little to no improvement in click rates after mock campaigns were conducted.”

Here is the strategy you need to consider.

At Aware Force, we’ve seen how effective it is to build trust and confidence among your employees. Reward them for their action and interest and give them safe ways to communicate with your team. 

Case in point: twice in recent months, employees have used the form in our twice-monthly cybersecurity newsletter to submit questions that turned out to be alerts about genuine business email compromise schemes. In less than 30 minutes, the cybersecurity teams were able to squash the targeted phishing emails for one reason: employees felt safe enough to ask questions. 

What should your takeaway from all this be?

Simple: use regular communication with your employees to build a safe communication channel with your workforce

Engage your employees in cybersecurity all year long with content branded for your company from Aware Force. Check our Cybersecurity Newsletter page to know more or connect with us, and you'll see why organizations across the US and Canada use outstanding cybersecurity content — branded for them — and delivered by Aware Force.

AI and Cybersecurity

Just ask Google and Microsoft. Business is struggling to keep up with developments in artificial intelligence. In a relatively short time, Google Search is retooling to provide visitors with AI-infused multimedia content. Microsoft is rapidly integrating AI- capability into Office365 and Bing search.

In only three months, astrophysicist Neil DeGrasse Tyson went from telling TMZ, “if AI eventually takes over all jobs, we can all go to the beach. After all, going to work is not embedded in our DNA, so society could reimagine how humans live”…

…to telling Fox News recently, “Part of me wonders, maybe AI will create such good fakes that no one will trust the Internet anymore for anything, and we just have to simply shut it down. Maybe it's the final nail in the coffin in the internet."

Talk about a moving target!

At Aware Force, we provide companies and organizations with relatable cybersecurity content, including videos, quizzes, and actionable one-sheets that engage their employees. Our initial thought was that AI wasn’t a significant threat (yet) to our business model because we source all our content. ChatGPT and other AI-based platforms scrape the web and deliver generic answers, and as a result, the content often contains errors or pure opinions. 

But during Google I/O recently, the company announced their upcoming chatbot technology will provide information about sources. So, AI will become, over time, an ever more reputable resource. 

That means our team must keep improving, delivering human-generated content that makes readers say, “Wow!” We have been using AI as a game changer in improving the quality of images, especially headshots of employees. We also find that AI-generated voices can be useful in replacing closed captioning in non-English language versions of our cybersecurity videos with voice narration. 

Artificial intelligence is also very good at improving the sentence structure of our content, both spelling and punctuation. We also use it to improve the content provided by our customers for insertion in their Aware Force newsletters. 

Where is AI coming up short, at least right now? Generating cybersecurity content, for one thing. The technology spits out text that matches the parameters it is given. But the text must be edited, sourced, and improved with additional, more recent facts. Image creation looks great in many examples, but try to create one yourself. If you’re not trained in instructing the technology — an arduous process — AI-generated images stink. 

Artificial humans are good for presentations, but your brain can spot shortcomings. Yes, the technology will rapidly improve (the company Synthesia is now valued at close to $1 billion). But right now, we’re not there. 

What does AI mean to cybersecurity professionals, after all?

AI's biggest danger to cybersecurity professionals is leveling up the playing field for phishing. Employees who fall for somewhat unbelievable emails and texts will be more apt to respond to AI-generated threats. 

That will force us all on the right side to up our game. Artificial Intelligence won’t kill our jobs. It will create more. It will refine our roles, pushing us to innovate and adapt.

As we said before: AI is growing in ways we didn't expect. Ignoring the role it plays in the shifting cybersecurity landscape is a dangerous game to play.

According to a CNBC article, generative AI is making ransomware attacks and phishing schemes easier to deploy. Companies are employing AI to shore up their cybersecurity defenses, but hackers are also using AI to find vulnerabilities and launch attacks.

Aware Force is aggressively adding AI-focused content to our cybersecurity news service, with employee readers telling their IT departments they appreciate the insight.

Check our Cybersecurity Newsletter page to get to know more or connect with us, and you'll see why organizations across the US and Canada use outstanding cybersecurity content — branded for them — delivered by Aware Force.

Vetting third-parties: important for organizations, a game-changer for vendors

Outsourcing cybersecurity services is becoming increasingly difficult because of tightening rules in the cyber insurance industry. That is creating an aggressive new approach to vetting vendors.

The process is becoming more exhaustive, especially in financial services. Service providers are being required to provide far more information about their cyber practices, sometimes with vetting that includes 250 or more data requirements.

Several high-profile cybersecurity incidents in recent years have highlighted the risks that vendors can pose to an organization’s data and systems. Target, Netflix, and Ticketmaster have suffered breaches, and coverage in media has damaged reputations and affected stock prices. Thousands of other incidents have gone unreported.

Understanding Third-Party Risk: Key Points

The potential for data breaches originating with vendors is increasing as organizations rely on them. Vendors have different levels of cybersecurity maturity, making it essential for organizations to assess and monitor their vendors' security practices.

The vendor risk assessment company Upguard is out with five things you need to know about third-party risk.

Jerry Archer, Chief security officer for Sallie Mae, says that the real courtship begins once a vendor has passed the RFI stage. “I need to know their security teams,” Archer says. “I need to know if I can count on them. I need to know their expertise.” When that expertise is lacking, but “the business really wants to do work with a particular vendor,” he adds, “we send some of our subject matter experts to work with their folks to bring them up to a level that we deem appropriate.”

In particular, insurers are also looking at how organizations authenticate third-party privileged users from vendor organizations who need access to sensitive data and company systems. Vendors require the same security, yet they are rarely given the same security consideration as employees. For instance, if a vendor is onboarded for a brief two-week engagement, they should be onboarded and offboarded following the same HR processes as a new employee to minimize risk.

Best practices to reduce third-party risks

Assess third-party security testing and incident response plans:

Ensure vendors share cybersecurity best practices and provide adequate training:

Document data breach notification requirements in contracts:

Rethink partnerships if vendors don't cooperate after breaches.

Consider extending your cyber-security programs to partners

To strengthen your cybersecurity posture and raise awareness about cybersecurity best practices across your organization, Aware Force has the content you need.

Check our Cybersecurity Newsletter page to get to know more or connect with us and in 15 minutes, you'll see why Aware Force has raving fans across North America.

Cyber insurance rate increases are slowing, but the need for coverage is growing

Businesses are struggling to keep pace with the risks and costs associated with cybercrime. We’ve seen a surge sophisticated incidents involving social engineering and AI. Most business owners often underestimate the true extent of the risk to their organizations from not having adequate coverage.

Decision-makers need to recognize that general liability policies simply don't cover the damages caused by cybercrime. CISOs must engage others in leadership — particularly CFOs —that their organizations have adequate coverage.

A general liability policy does not cover cybercrime. “The CFO may feel like $50k in cyber coverage is adequate. But that is like dropping a dime in a mailbox,” says Ralph Pasquariello, veteran cyber insurance expert with the firm Snellings Walters. “If their business drops or stops because of a cyber incident, then they expect business interruption insurance to cover the revenue loss. But the company must have cyber insurance or business interruption is not covered.”

The importance of risk assessment

Pasquariello urges management to game it out: what does it look like when the big event happens? What will it cost? For even a midsize organization, $3 million in business interruption insurance isn’t enough — not even close. The revenue loss is huge for a $500 million company that’s down for three weeks. Add on forensics and reputational harm, and you’re looking at closer to $12 to $20 million.

Qualifying for cyber insurance

To even qualify for cyber insurance, insurers want to know if a potential client is taking defined steps to protect the organization. “Underwriters want to see the organization uses multifactor authentication,” says Pasquariello. “MFA won’t solve everything — it’s a tiny piece. But it is fundamental.”

“I got a panicked phone call from a CISO client. Someone who sounded like the CEO said these funds — $650,000 — had to be wired immediately. It sounded legit. The circumstances required knowledge of the client, which the caller had. It was a Friday afternoon on a holiday weekend. The money got wired, and the situation became clear the following Tuesday. By then, it was too late to claw back the money.

Conclusion: Understanding the limits and benefits of cyber liability insurance

It is essential to understand that cyber liability insurance companies do not provide policies that cover cybersecurity oversight, avoidable mistakes, and negligence responsible for data loss or data theft, potential future lost profits, or loss of value due to theft of your intellectual property. While cyber insurance is a critical component of a comprehensive cybersecurity strategy, it should not be seen as a substitute for proactive measures to protect your organization from cyber threats.

Moreover, it's crucial to assess your organization's needs. Remember: 85% of companiesexperience at least one ransomware attack per year; three out of four have experienced more than that. 

9 out of 10 cyber attacks can be traced back to mistakes inadvertently made by employees). So, keeping cyber-safe behavior on top of their minds is crucial to protecting your company.

The solution: keep your employees engaged in cyber-security all year round. Offer snackable and relatable content they can apply to their daily work life and bring to their families at home with Aware Force.

Check our Cybersecurity Newsletter page to get to know more or connect with us and in 15 minutes, you'll see why Aware Force has raving fans across North America.

AI is growing in ways we didn’t expect

Among the organizations we work with at Aware Force, some are banning ChatGPT and other forms of AI among employees. Our team is looking at how AI is taking hold in the enterprise, and the conclusion we see is clear. Don’t avoid it. 

Your new hires expect you to embrace AI.

The number of job postings on LinkedIn mentioning GPT (the generative pre-trained transformers behind AI) has increased by more than 50% since the beginning of 2023. 

New numbers from Accenture shows that over 60% of workers have a favorable view of the impact of AI on their work, and two-thirds acknowledge that they must develop their own skills to work with intelligent machines. 

The AI skills gap compounds a broader digital skills crisis. In a global survey of more than 23,000 workers, nearly three-quarters of respondents said they lack the necessary resources to learn the digital skills they need to succeed in the current and future workforce.

Most organizations are not yet budgeting for what will happen

Large companies, however, are not on the same page as employees. Business leaders believe only about one-quarter of their workforce is prepared for AI adoption. Yet only 3% are planning significant increases in their training budgets to meet the skills challenges posed by AI, according to MIT Sloan.

AI will help significantly improve training

One area where this is likely to be seen most significantly is employee training. The ease of use and immersive nature of AI and VR are taking employee training to a new level, said Tacy Byham, chief executive officer of DDI, an international human resources and leadership development consultancy company.

While new hires fluent in AI will be needed, AI will be able to identify the skills of those already employed in the organization

Human Resource Management Systems (HRMS) are increasing, including skills inventories providing organizations the ability to quickly pivot by reorganizing talent already available. At a moment's notice, skills inventories attempt to answer the question: Can we do business differently with our current employees or the talent available in the labor market?

Bose said the company has already trained over 100 engineers through its six-month program. Johnson & Johnson aims to digitally upskill 10,000 additional employees this year so they can use the tech to forecast sales or improve operations.

AI is an undeniable force. Embrace it now. 

The acceleration of AI in the workplace is an undeniable force that executives cannot ignore. Embracing it isn’t merely a matter of keeping up with trends but a strategic imperative to ensure an organization’s competitiveness and relevance in the market. Fearful skepticism or an outright ban on AI applications will not delay the inevitable: AI is here to stay!

Aware Force is aggressively adding AI-focused content to our cybersecurity news service, with employee readers telling their IT departments they appreciate the insight. 

Check our Cybersecurity Newsletter page to get to know more or connect with us, and you'll see why organizations across the US and Canada use outstanding cybersecurity content — branded for them — delivered by Aware Force.

Password managers: your employees have questions

Employees are more curious and confused about password management than any other cybersecurity topic. “How to choose a good password manager?” is the number 1 cybersecurity question employees asked through Aware Force’s employee Q&A engine over the past 12 months. 

Yes, employees at nearly all medium-to-enterprise size organizations receive extensive training in cybersecurity. But employees tell us their experience taking awareness training often exhibits three challenges:

This makes it difficult for employees to keep important cyber information fresh in their minds.

The solution for that is providing your personnel with topical, engaging, and snackable content. Content that is designed to effectively capture employees' attention with its short, easily digestible format. 

Concise and targeted information allows employees to quickly grasp key concepts without feeling overwhelmed, improving information retention.

By integrating such content into daily routines, organizations can provide frequent reinforcement of important cybersecurity concepts. This approach fosters continuous learning, keeping critical knowledge fresh in employees' minds and promoting a security-conscious culture within the organization.

To ensure personnel is informed about the latest cyber threats and follow the best practices for online security to minimize their risk of falling victim to cyber-attacks and protect their personal information, Aware Force offers a whole library of cyber content tailored for your needs and branded for your organization.Check our Cybersecurity Library page to get to know more or connect with us. You'll see why organizations across the US and Canada use topical cybersecurity content — branded for them — delivered year-round by Aware Force.

Weak passwords: ransomware as a service targeting healthcare

The prevalance of ransomware is once again on the rise, jumping from the 22nd to the 5th most common type of malware, according to Verizon. That’s a reverse of the trend we saw in 2022. Key industries targeted by ransomware include public administration, healthcare, and financial services. 

A new study in the JAMA Health Forum says ransomware cases, aimed at hospitals, “more than doubled since 2016, exposing the personal health information of nearly 42 million patients. During the study period, ransomware attacks revealed larger quantities of personal health information and grew more likely to affect large organizations with multiple facilities.

Exploit kits for hackers are using ransomware-as-a-service

ransomware example: egregor ransom note
Egregor ransom note

Ransomware-as-a-service, a commodified form of malware, offers lucrative extortion capabilities to anyone who can purchase it. The exploit kits used have evolved from Angler to Neutrino to RIG. According to Recorded Future, the latter can be rented for $200 per week as a crimeware-as-a-service. These exploit kits are delivered via phishing, accounting for 21% of incidents. Ransomware phishing emails often target employees in human resources and accounting departments, as they frequently open attachments.

Heimdal Security states that the RIG exploit kit detects eight vulnerabilities in unpatched software and downloads the Cerber ransomware onto a target system. Once the ransomware infects a victim's system, it encrypts their data and locks them out until they pay a ransom to decrypt their files. While the vulnerabilities constantly change, as of January 2023, they included flaws affecting Adobe Flash Player, Microsoft Edge, Internet Explorer, and Microsoft Silverlight.

Duo's 2016 Trusted Access Report: Microsoft Edition says almost 2/3rds of devices running Internet Explorer had an outdated version of Flash installed, potentially making them susceptible to known vulnerabilities in the RIG exploit kit. Research from Cisco's Talos Intelligence Group on RIG payloads and user agent information indicates that the most commonly exploited victims include users browsing with Internet Explorer on Windows platforms.
When hackers gain entry to a system, shared passwords make it easier for them to access other parts of the network. A single security incident can quickly escalate into a full-blown breach if a hacker discovers a document full of shared passwords in one employee's Google account. This compromises the organization's security and can lead to legal issues if customers' privacy rights are violated.

To ensure personnel is informed about the latest cyber threats and follow the best practices for online security to minimize their risk of falling victim to cyber-attacks and protect their personal information, Aware Force offers a whole library of cyber content tailored for your needs and branded for your organization. Check our Cybersecurity Library page to get to know more or connect with us. You'll see why organizations across the US and Canada use topical cybersecurity content — branded for them — delivered year-round by Aware Force.

CISOs know the rules of password management, employees often do not

Employees of clients who distribute Aware Force e-news have more questions about password management than any other cybersecurity topic. They want to know if and how to use password management software on their personal devices. And because so many share work-related passwords with colleagues to be more efficient on the job, they still need to be reminded of the three best password practices:

Sharing passwords leads to privilege abuse, where employees misuse information they've been given legitimate access to, accidentally or intentionally.

Stolen or weak passwords are responsible for 81% of hacking incidents.

A recent survey by Beyond Identity revealed alarming statistics about employees' password habits: 

Aware Force produces videos, one-sheets, and quizzes about passwords, all tailored for our customers with logos and brand standards. Password-related content remains among our most popular.

Employees know less about password management than you might think. 

Poor password management
It's not for nothing that "123456" and "P@ssword!" are some of the most used passwords.

The key takeaway is that cybersecurity professionals consider proper password security to be basic and understood by all employees. It isn’t. They need to be engaged with content about best practices and common mistakes, such as sharing passwords or using the same password for multiple accounts, employees can significantly reduce the risk of cyber threats and protect their personal information and the organization's sensitive data.

CISOs, IT Managers, and other leaders can be facilitators regarding cybersecurity awareness. One of the best ways to do so is by empowering employees with snackable, relatable, and easy-to-use content.

Ensure your personnel is informed about the latest cyber threats and follow the best practices for online security to minimize their risk of falling victim to cyber-attacks and protect their personal information. A well-informed worker (techie or not) will follow the best practices for password management.

To assist with this vital task, engage your employees in cybersecurity all year long with content branded for your company from Aware Force.
Check our Cybersecurity Newsletter page to get to know more or connect with us, and you'll see why organizations across the US and Canada use outstanding cybersecurity content — branded for them — delivered by Aware Force.

Employees’ top five cybersecurity questions: here’s #1

With each edition of the Aware Force cybersecurity newsletter, employees are able to send comments, suggestions, and, most importantly, their cybersecurity questions.

Over the past 12 months, the most common cybersecurity question from employees involves “how to select a good password manager.”

40% of respondents to the newsletter’s Cybersecurity Q&A feature, asked whether they needed password management software, how to use it, whether it’s safe to use one, and what they should do following the security breach of the password management company LastPass.

While Aware Force does not recommend specific products, an analysis of trade publications and consumer technology sources ranks Dashlane, BitKeeper, Zoho, BitWarden, 1Password, and NordPass among the top choices for password managers. 

Aware Force advises organizations to have a password policy covering access to any online assets. Whether accounts are used for testing, workstation setups, day-to-day use, or superuser/root privileges, establishing and maintaining a firm password management policy is the foundation of a secure organization.

Employees asked, “is it safe to use the password manager built into my web browser?”

Our answer: Most web browsers offer at least a rudimentary password manager. Dedicated password managers offer a more comprehensive solution for securing your online accounts. These managers provide enhanced security features like two-factor authentication, password strength analysis, and breach alerts. In addition, they are compatible with a wide range of devices and platforms, making them more versatile than their browser-based counterparts.

Therefore, you may need more than browser-based password managers to provide the level of security necessary to protect your company. Instead, using a dedicated password manager offers a more robust defense against potential cyber-attacks.

Your employees’ habits are not helping

According to a study by Pew Research Center, only 12% of online adults say that they ever use password management software to keep track of their passwords. Another study by Panda Security found that just 15% of Americans use an online password manager. As for built-in browser password managers, according to the same Pew Research Center study mentioned earlier, 18% of online adults say they save their passwords using the built-in password-saving feature available in most modern browsers.

Alarming statistics about password management and cybersecurity

If you’re a fan of statistics, this might have your cyber sensors triggering all over the place: Google has released some data about passwords that should be concerning to organizations:

The Ponemon Institute also has companies’ perspective:

In short, we have a combination of populational bad habits and an organizational need for adequate systems to protect their data. The result: a feast for cybercriminals.

How should employees choose a password manager for their personal computers?

When selecting the right password manager for a company or personal use, it's essential to consider these factors:

Reading user reviews and professional assessments from reputable sources can also help you make an informed decision.

In light of the LastPass security breach, users of any password manager should be cautious and follow best practices for online security:

In conclusion, password managers can significantly improve the security of your online accounts by generating and storing strong, unique passwords. 

While browser-based password managers offer a basic level of protection, dedicated password managers offer a more comprehensive solution.

Ensure your personnel is informed about the latest cyber threats and follow the best practices for online security to minimize their risk of falling victim to cyber-attacks and protect their personal information. A well-informed worker (techie or not) will follow the best practices for password management.

To assist with this vital task, engage your employees in cybersecurity all year long with content branded for your company from Aware Force.
Check our Cybersecurity Newsletter page to get to know more or connect with us, and in 15 minutes, you'll see why organizations across North America use cybersecurity content — branded for them — delivered by Aware Force.

Business Email Compromise: The changing economy exposes a growing threat

Rising unemployment will give hackers a powerful way to infiltrate organizations by exploiting employees who are nervous about their jobs.

Taking advantage of this scenario, scammers are posing as job seekers targeting those in human resources (HR), and using a social engineering tactic known as Business Email Compromise (BEC) to spread ransomware across a company’s network. Once inside, scammers can use their newfound contacts to target executives with dedicated emails designed to steal intellectual property.

The hackers know that HR personnel is accustomed to opening attachments from unknown senders and seize the opportunity to turn these employees into unwilling insider threats.

Deloitte reports that 70% of the cases handled by Palo Alto’s incident response team consisted of Business Email Compromises.

Director of Intelligence at Secureworks, Mike McLellan says BEC attacks require little to no technical skill but can be highly lucrative. "Attackers can simultaneously phish multiple organizations looking for potential victims without needing to employ advanced skills or operate complicated affiliate models."

Jobseekers also targeted

As if the rise of job scams on popular search sites weren't concerning enough, scammers are now using fake job offers to hack into organizations.

New research by KnowBe4 and Checkpoint have found that phishing emails targeting LinkedIn accounts are rising fast. These attacks are designed to trick users into clicking on a malicious link or downloading a file that contains malware. As LinkedIn becomes an increasingly popular platform for professional networking and concern about unemployment among workers rises, these attacks are becoming more common.

Some of these phishing attacks often take the form of fake job offers or messages that appear to be from LinkedIn itself. These messages may ask users to update account information or click on a link to view a job offer, but in reality, they are designed to steal the user's personal information or install malware on their computer. If using a company computer, this could potentially open the organization’s doors to criminals.

LinkedIn urges employees and managers to be aware of six common signs that a job posting might not be authentic:

  1. Contact can’t be found in a Google search
  2. No company information
  3. Grammatical errors & spelling mistakes
  4. Be wary of job offers that require upfront payments 
  5. Personal information is required immediately
  6. Sounds too good to be true

There are different reasons why someone would post a fake job offer. Some companies like to have resumes on file, or employers might be testing the water or gauging the current talent pool. However, users must exercise caution when communicating with potential employers online and report any suspected fake job listings to the appropriate authorities.

How can employees be cyber-safe and detect possible scams?

Cyber and IT leadership can reduce risk by communicating regularly with the workforce. To protect themselves from these attacks, personnel should be wary of unsolicited messages or job offers and take precautions such as enabling two-factor authentication and keeping anti-virus software up to date on personal devices. Users should also be cautious of messages that ask for personal information or require them to download files or click on links.

IT decision-makers are aware of this threat…and they’re concerned

Arctic Wolf recently surveyed over 900 global security leaders about their top concerns, andthe results showed that Business Email Compromise was a social engineering tactic that needs to be top of mind. 52% of organizations experienced a breach in the past 12 months; of those, a third were BEC attacks. BEC attacks were also listed as the “top concern” for 38% of respondents.

How can Cybersecurity and IT leaders mitigate these cyber threats?

Many companies implement email filters. However, all it takes is a few emails to penetrate the filters and reach employees’ inboxes. Some companies that have fallen victim to these nefarious attacks include Facebook, Google, Toyota, and Ubiquiti…all causing multimillion dollars in losses.

As a leader, assuring your employees have high cybersecurity awareness and empowering them to be your strongest line of defense against cyber attacks is highly effective. A well-informed worker (techie or not) will be able to detect a scam and report it to your team.

To assist with this vital task, engage your employees in cybersecurity all year long with content branded for your company from Aware Force.

Check our Cybersecurity Newsletter page to get to know more or connect with us and in 15 minutes, you'll see why Aware Force has raving fans across North America.