By Felicia King
President & CEO, QPC Security

Navigating a technology-filled world

Technology is changing and evolving at a rapid pace, all around us. With the birth of the internet in 1983 came more efficient ways to collaborate with others around the globe. Technology started evolving even more rapidly with these collaboration efforts. Today, the internet is widely available and accessible to almost anyone, anywhere. Unfortunately, that also means that this wonderful resource is available to people with nefarious intent. It is not always easy to pick them out from the crowd, and it is impossible to avoid them completely.

What are threat actors?

Threat actors, also known as cyberthreat actors or malicious actors, intentionally cause harm to digital devices or systems. These individuals or groups primarily target organizations for two reasons: to steal (monetary gain, data, sensitive information), or to disrupt business (service disruptions, DDOS attacks, or reputational harm).

Threat actors use different methods to gain access to systems. In around 90% of successful cyber-attacks, the threat actors gained access through an individual user; in most cases, the individual let the threat actor in unintentionally. The most common method is through phishing emails. Phishing emails are sent to recipients with the hope that the recipient clicks on the link or attachment in the email that redirects the individual to a malicious website. The website is often set up to imitate popular websites, like common login pages for things, but if the individual enters their credentials into the page, that information is transmitted straight to the threat actor.

If an email appeared in your mailbox indicating that you needed to log into your Microsoft account and approve payment within the next 24 hours or your account would be suspended, you would be inclined to action that email as soon as possible, right? Threat actors attempt to instill that sense of urgency and make their phishing email recipients less likely to take their time and scrutinize the email before clicking on the link, which increases their chances of success.

This is just ONE example. Threat actors use many different methods to try to gain access to your accounts. Filters and security measures can only go so far in protecting your accounts. You are the last line of defense. Just one mistake can compromise your account and its contents.

What can I do to protect myself and my company?

QPC always recommends cybersecurity awareness training with phishing testing/training, dark web monitoring and training, and a company policy distribution and attestation system.

Every single organization’s cybersecurity insurance policy requires cybersecurity awareness training. It is not legally defensible for an organization to have no cyber awareness system in place, nor is it legally defensible for them to have a system that is functioning only in a theatrical way. This means that the system must be good, and all staff must be enforced at the HR management level to have ongoing, weekly participation that is meaningful.

The only thing that meaningfully alters staff behavior is when there is a company policy advocated and enforced by personnel managers. The only effective cybersecurity awareness training platform is one which has a consistent method of weekly participation. It does not have to be long, drawn-out, and tedious; just 5 minutes a week of training can make a world of difference.

Each time a client has a credential compromise or incident of some type, we perform a root cause analysis investigation. Frequently, an issue could have been completely avoided by staff being properly trained. Companies that fail to mandate weekly training by all staff and hold staff accountable for outcomes of effective, provable participation will have incidents.

What if I still have questions?

For more information on the cybersecurity training QPC provides, contact us today at 262‑553‑6510 or by visiting qpcsecurity.com.