3 Times Security Awareness Training Would Have Saved the Day
Real-World Examples of Cybersecurity Nightmares That Could Have Been Avoided
Security and compliance awareness training transforms a company’s greatest security risk — its people — into its greatest defensive asset. When companies empower their employees through security awareness training, they gain a host of unbeatable benefits like reduced security costs, increased compliance and a big edge against cyberattacks. These scenarios offer concrete examples of the cyber dangers that organizations are facing today and the consequences of failing to prepare employees to handle them.
Excerpted in part from the NEW eBook The Business Case for Security Awareness Training. DOWNLOAD IT>>
Drill down to the bottom line to see why security & compliance awareness training is a smart investment. GET IT>>
Scenario 1: A Ransomware Nightmare
A ransomware attack takes place every 11 seconds, and no business is safe from this menace. The most likely tool cybercriminals use to launch ransomware attacks is phishing email — and if employees aren’t aware of what to be on the lookout for, it could spell disaster.
Here’s how an incident like this might unfold:
An employee checks the messages in their email inbox. They open a message that tells them that they need to fill out some important human resources paperwork right away. Conveniently, the form they need to complete is attached to the email. The employee quickly opens the attachment to take care of it. However, they don’t just download a form — they also download ransomware. About 50% of ransomware attacks target businesses with fewer than 100 employees.
What might happen if an employee action at my company causes this security failure?
The cybercriminals perpetrating this attack might use ransomware to do any number of devastating things:
- Encrypt the victim company’s data, computers, machines, production line or other business systems, paralyzing their operations.
- Steal data, records, employee information, patient files, formulas, blueprints, financial data, customer lists or other proprietary data.
- Threaten to damage the victim company by publicizing the attack or releasing information in the stolen data that could cause the victim embarrassment or harm.
- Demand payment to provide remedies for these problems — and the average ransom demand is $570,000.
Possible Outcomes
Nothing good awaits a business that fails to defend against a ransomware attack.
Possibility: The attacked organization agrees to pay the ransom in a misguided attempt to resume normal business quickly.
- However, fewer than 60% of companies that pay the ransom when they’ve been hit by a ransomware attack are able to recover even part of their data. In fact, 39% of companies that pay a ransom never see any of their data again.
- Paying ransoms may be illegal, and cyber insurance is unlikely to cover the ransom payment.
- Experts estimate that 80% of companies that pay the ransom get hit with a second ransomware attack, often in as little as 12 months of the first.
The victim company will most likely experience downtime, potentially losing revenue and business opportunities. Companies impacted by ransomware lose an average of six working days.
- An estimated 70% of the damaged company’s employee productivity is lost while the incident is being remediated.
Regulators pounce because the victim has violated data protection rules, slapping the victim with big penalties that increase data breach cost an average $2.3 million.
The company that was successfully attacked experiences reputation damage through bad publicity.
- Nearly two out of every three consumers would likely avoid doing business with an organization that experienced a cyberattack in the past year.
How does security awareness training help?
Trained employees are alert to the danger presented by unexpected messages, even when they’re official sounding. They’re also armed with the skills that they need to take the right actions when faced with a suspicious message, like checking for common red flags that indicate phishing. The knowledge that employees gain from security awareness training improves phishing awareness by an estimated 40%.
Are your users ready to handle all of the risks they face daily? Make sure you’ve covered all the bases! GET A CHECKLIST>>
Scenario 2: A BEC Disaster
While ransomware may be the cyberattack that gets all the attention, business email compromise (BEC) is the cyberattack that can do the most damage to businesses. BEC is the costliest cybercrime, with an adjusted loss of approximately $1.8 billion in 2021. BEC typically starts with a phishing message and ends with cybercriminals getting cash or credentials from the victim.
Here’s how a BEC incident might unfold for a business:
An employee at Company A receives an email that appears to be from their contact at Company B — a service provider for Company A. The email tells the user that they need to pay a legitimate outstanding invoice and warns that their service may be disrupted if they don’t pay it immediately. Company A usually pays Company B via wire transfer. The message advises Company A that Company B’s banking information has changed, and Company A should send payment to this new account. Company A complies, sending a large sum of money to the new account. However, there is no new account for Company B, and Company A has been scammed.
What might happen if an employee action at my company causes this security failure?
Any or all of the following could happen, and all of these consequences are unpleasant.
If you work at Company A:
- Your company sends almost always unrecoverable money to cybercriminals via wire transfer, gift card or electronic payment.
If you work at Company B:
- An employee gives up their password, enabling cybercriminals to log in to your systems.
- Bad actors obtain a privileged password that allows them to access sensitive systems or data.
- Cybercriminals take over accounts that enable them to pose as your company to commit other cybercrimes.
Possible Outcomes
Both companies incur big expenses and bigtime trouble.
Company A
- An employee transfers large sums of money to the cybercriminals. The median cost of a BEC loss is $764,000.
Company B
- The cybercriminals are able to snatch credentials that give them access to a privileged user account, like an administrator account, that allows them to deploy ransomware or other malware.
- The victim company has to undertake an expensive, time-consuming incident response. BEC has the highest cost per incident of any cyberattack.
- The threat actors are able to use the employee password that they obtained to access data like customer lists, client or patient files, and financial information.
- The bad guys steal customer PII (Personal Identifiable Information), an element included in 44% of breaches at an average cost of $180 per record.
- Bad actors are able to take over a legitimate employee email account and use that account to pose as legitimate representatives of the employee’s company to launch new BEC schemes.
How does security awareness training help?
If you’re Company A, training helps by making employees more vigilant. A security-savvy employee would smell a rat in this scenario. They’d know the best practice here would be to contact Company B via other means (like a phone call) to verify the legitimacy of the request and notify their supervisor or IT team of the issue.
If you’re Company B, training helps by teaching employees to be wary of anyone asking for their login credentials. Security awareness training empowers employees with the knowledge that they need to avoid cybercriminal traps like that that can lead to a BEC incident. That’s one reason why security-related risks are reduced by 70% when businesses invest in cybersecurity awareness training.
By preventing an employee from getting fooled, Company B also avoids an expensive, stressful incident investigation and cleanup. Even a modest investment in security awareness and training has a 72% chance of significantly reducing the business impact of a cyberattack.
Learn 5 red flags that could indicate a malicious insider is at work in your organization! DOWNLOAD INFOGRAPHIC>>
Scenario 3: A Human Error Calamity
Employees are human, and human beings make mistakes. While those mistakes are sometimes just unfortunate problems, more often than not employees make bad choices when it comes to security because they just don’t know any better — like entering their password on a phishing site or falling for social engineering tricks. Employee mistakes, whether they’re caused by carelessness or simple ignorance, create over 60% of security incidents.
Here’s how an employee mistake incident like this might unfold for a business:
An employee receives an email telling them that they need to change their password for Office 365. The email contains a link to help them do it. The unsuspecting employee clicks on the link, which goes to a web page that looks legitimate to them — it has Microsoft’s logo and everything. The employee then enters their password and chooses a new one. However, the email prompting the password change as well as the web page are fake, and the employee just gave their login credentials to cybercriminals.
What might happen if an employee action at my company causes this security failure?
Any or all of the following security nightmares could unfold:
- The bad guys snatch an employee or privleged user’s credentials.
- Someone sends an unauthorized person a sensitive file.
- Company systems become infected with malware like ransomware.
- Cybercriminals gain access to proprietary information or protected data.
- Bad actors take over an employee user account.
Possible Outcomes
One employee mistake can kick off a chain of events that ends in a disaster.
- Bad actors use stolen login credentials to deploy ransomware or otherwise harm the victim company. Almost 30% of untrained users in a social engineering study fell for phishing lures that enticed them to click on malicious links, download suspicious files and email attachments, enter their credentials at a fake site and even correspond with cybercriminals.
- Cybercriminals are able to steal data from the employee’s company — 95% of data breaches are caused by people making mistakes.
- Bad actors access or obtain protected data, resulting in the company incurring a large penalty and the potential loss of a contract.
- The victim’s employer must now begin an incident investigation and response. About 60% of organizations say employee-involved security incidents have become more frequent.
How does security awareness training help?
- Security awareness training improves overall password security by as much as 50%.
- Security awareness training reduces the costs that companies incur because of phishing like lost productivity and incident response by more than 50%.
The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>
Security and Compliance Awareness Training is Easy and Affordable
With risks like these around every corner, it’s easy to see why every company needs to make a powerful defense against phishing a top priority to avoid joining the ranks of the 60% of businesses that fold in the wake of a cyberattack. The ID Agent digital risk protection platform answers that call.
BullPhish ID – This freshly revamped security awareness training solution is packed with features that make the training process efficient, effective and easy.
- Preloaded phishing kits help employees learn to spot and resist the phishing lures or scenarios they face every day.
- Video lessons on subjects like ransomware, compliance, password safety, security hygiene and more give every employee a solid grounding in cybersecurity best practices.
- We add 4 new videos a month in 7 languages to make sure that your users are trained on the risks and compliance requirements that they’re facing right now!
- Automate training delivery, testing and reporting.
Book a demo of BullPhish ID now!
Stop cyberattacks & save money: See why security awareness training is your best investment. DOWNLOAD NOW>>