In 2019, the most common source of data breaches in Australia were malicious or criminal attacks. Is your email secured?
Email is still the most common way we communicate information between customers, co-workers and partners, yet even in the modern era of cloud-empowered corporate environments, it remains a vulnerable security risk for many businesses not prepared to combat malicious actors, phishing and intentional data breaches.
More organisations than ever before are investing in cybersecurity to secure themselves against external attacks. However, many still fail to notice one of the other most significant data security vulnerabilities – their own employees.
As per latest report by the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme between 1 January 2019 and 31 March 2019 (referred to as ‘data breaches’), 61% of data breaches were a result of criminal attacks – but 35% were due to human error, with system fault only accounting for 5%.
Source: OAIC
Why are data breaches caused by human error increasing in 2019?
Many modern data breaches logged in the latest NDB report appear to have exploited vulnerabilities involving a human factor, such as clicking on phishing email or via social engineering or impersonation to gain access.
While advanced email gateways filters emails keep out most of the spam and viruses, the real danger lies in scam emails disguised as legitimate messages, which often are delivered in the inbox.
Source: OAIC
To avoid any data breaches in your workspace, educating staff awareness of email security needs to be a priority for all businesses.
This article breaks down the top 5 malicious email threats to watch out for, and what you should be looking for to avoid loss of data or privacy.
#1 – Phishing Emails
Phishing emails are one of the most common types of malicious emails causing human-led data breaches. While there’s plenty of ways to combat them, many are becoming more sophisticated and harder to track.
Upon first glance, many phishing attempts appear authentic, such as the below example.
If an employee clicks the link in the email, it is rerouted to a site, which may look similar to authentic site. However, it is a duplicate site where it prompts user to enter sensitive information such as usernames, passwords or sometimes financial (bank and credit card) account information.
What are the easiest ways you can prevent these attempts from succeeding?
Check the message is sent from a public domain.
Remain watchful for suspicious links.
Always confirm where a link redirects before opening them by hovering your mouse over the link; the destination address appears in a small bar as per the image above.
#2 – Lack of Multi-Factor Authentication
Although it’s one extra step to a log-in process, Multi-Factor Authentication (MFA) provides a much stronger defence for your email accounts.
If your password is compromised and MFA is enabled, you can entirely prevent anyone hacking, as access requires two distinct levels of authentication, such as:
- Phone number
- Secondary email address
- Secret question
Most modern email and software programs, like Microsoft 365 make it very clear to users that MFA is available – and that it should be used. Despite its widespread availability and ease-of-setup, a majority of modern business users still fail to have it set up, resulting in a lot more cases of identity theft and data breaches than is necessary.
Having MFA is not going to remove all risk, of course. However, having it enabled safeguards your account even if your password has been compromised. It also means you are a much less attractive target and you are reducing your risk dramatically.
#3 – Unverified email attachments
Its always a good practice to treat email attachments you aren’t expecting with caution especially if you don’t know the sender.
Often malicious code masquerades as Word documents or some other file type, and sScammers can easily change an .EXE extension of a malicious file to .DOC.
If you think that you may have received such a file, it’s best to check with your IT team before doing anything with it – or running a virus scan over your emails to double-check its authenticity.
#4 – Unprotected use of Public Wi-Fi
Always use protection.
That age-old mantra encompasses our use of Wi-Fi connections, especially those offered in public spaces.
A surprising amount of business users access and share sensitive information while their devices are connected to unverified Wi-Fi, which is a hotspot (no pun intended) for hackers to infilitrate unsuspecting staff and cause unnecessary data breaches.
Being vigilant about your use of public Wi-Fi. Avoid access of bank accounts, email, corporate files, online shopping or other personal sensitive information. If you must use public Wi-Fi for these reasons, always ensure your anti-virus and security center is up-to-date, online and running active scans.
#5 – Weak passwords
A weak password with a common string of letters or numbers is one of the ways malicious attackers cause data breaches in businesses.
A secure password is the first step to safegauard your personal info and assets and protect yourself from identity theft. Avoid re-using the same password and using personal information which would be easy to guess, and take advantage of password managers such as LastPass or in-built protection provided by solutions like Microsoft 365 for the best password security possible.