You might not think you need to educate end users about cyberattacks, compliance issues, and other risks they face online. You might think your business is too small to be a target for cyberattacks, or that your employees already know better than to click on a link in a phishing message. But every business is a target.
Cybercriminals take advantage of unwitting user error because it’s one of the easiest ways to infiltrate business network. In fact, 93% of successful cyberattacks start with phishing, according to the 2018 Verizon Data Breach investigations report. Criminals will even use personal information people have shared on social networks and other locations online to gain their trust. When end users unwittingly click phishing links, open malware attachments, or give up credentials and other sensitive information online, cybercriminals can bypass existing layers of security to successfully breach organizations' networks.
Real-World Scenarios
We’ve removed the business’ names to protect their reputations, but here are some actual, real-world scenarios where a little bit of security awareness would’ve gone a long way.
- Company details: Privately held women’s apparel co.
$4 – 5 million annual revenue, 20 – 25 employees
An administrative assistant received an email from the CEO, who was on vacation at the time. The email had instructions to wire $500,000 to a vendor, and included the account details. The assistant immediately contacted the finance team, who made the transfer at once.
The email was not from the CEO, and neither the assistant nor the Finance team verified any of the information before making the transfer. When the CEO returned, they contacted the FBI at once, but the funds were never recovered. Loss: $500,000
- Company details: 40+ year-old neurology clinic
$75 million annual revenue, 40 – 45 employees
While investigating a ransomware attack, the clinic’s IT team discovered a separate data breach, in which an attacker had access to patient records—including names, Social Security numbers, driver’s license, addresses, phone numbers, medical data, prescriptions, and insurance data—for 15 months. Up to 400K patient records may have been compromised. According to the Ponemon Institute, the average healthcare data breach cost $380 per record in 2017. Let’s do the math. Loss: Up to $152 Million
- Company details: Food distributor
$20 million annual revenue, 20 – 25 employees
The company got an invoice email that looked to be from a trusted vendor. While it contained new wire transfer details, the email looked legitimate. It also arrived around the same time the vendor usually sent invoices, and was for an expected amount, indicating the thieves had been watching the company’s dealings for some time. The company didn’t discover the problem until the real vendor got in touch to ask why the payment was late. By then, nothing could be done. Loss: $23,500
If the end users at the companies above were better trained at spotting fake emails, they would have saved a lot of time, headache, and money. Now think about the other bad habits most people have online. Reusing passwords and storing confidential data improperly are other common examples.
With ongoing, relevant, engaging cybersecurity awareness training-such as phishing simulations, courses on IT and security best practices, and data protection and compliance training where relevant-businesses can significantly reduce the risks they face due to user error.
See how Webroot® Security Awareness Training helps businesses ensures that people, processes, and technology are all harnessed effectively to stop cybercriminals.