Companies are underestimating the risk of failing to provide security training to non-technical staff.
A new Intel Security study, which surveyed IT decision makers in European-based companies, found that within UK companies, sales staff are the most exposed to online attacks. This is thanks to their frequent online contact with non-staff members.
Incidentally, they were closely followed by the call center and customer services teams – making both departments more at risk from a cyber-attack than the company CTO. However, 51% of UK companies fail to provide sales staff with IT security training.
With the number of suspect URLs soaring 87% between 2013 and 2014, the risk of untrained staff clicking on dangerous links and unwittingly unleashing a browser attack on their organization is also on the rise.
Staff including receptionists and customer service teams – who are also frequently exposed to online contact with the general public – are also missing crucial security training. 52% of UK organizations fail to train their customer service team, while 60% do not train their receptionists and front-of-house staff.
Most worryingly, more than 1 in 10 UK companies fail to provide mandatory online security training to any of their staff, which is the highest example of this across Europe.
The principal methods of network attacks that are threatening businesses today are browser attacks (which target unsuspecting staff members with dangerous links), network abuse, stealthy attacks, evasive technologies and SSL attacks (which hide in a company’s encrypted traffic).
Advanced stealth attacks, which disguise themselves to sneak into company networks, are on the rise – with Intel Security uncovering 387 new threats every minute. Against this rapid rate of threat development from hackers, the report found that organizations assess their security strategy on average every eight months, which rises to every nine months in the UK. Meanwhile, around 30% of organizations review their security strategy once a year or less frequently.
Despite this, 75% of UK IT professionals believe their organization’s security strategy always considers the latest threats. However, the research shows that 73% admit their organization’s overall security posture would benefit from a security strategy that takes into consideration solutions that proactively work together and inform each other of their findings – an important and connected strategy for battling advanced stealth attacks.
DDoS attacks, which are often deployed by hacktivists or criminals in order to distract a company while they sneak in the back door and steal data, are also identified as a significant threat. According to the report, network abuse, including DDoS attacks, is the most prevalent form of network attack, accounting for 45% of all network attacks.
However, just 19% of UK IT professionals questioned believe DDoS attacks pose the biggest threat to their company network. Designed to enforce a network outage, DDoS attacks often come with a demand for a ransom. However, just 17% believe ransomware poses any real threat to their company network, while a mere 2% believe it is the biggest threat to their company’s security.
Ashish Patel, regional director of network security UK&I Intel Security commented: “With new threats being developed every minute of every day, IT teams within organisations need to rethink their approach to network security. Relying on broad brush security strategies that aren’t updated in line with the newest threats will leave companies increasingly vulnerable to the growing capabilities of cyber criminals.
“It’s crucial that IT professionals take time to gain a real understanding of how the network attack landscape is evolving and which threats their company must prioritise defeating. Our research shows there is a real disconnect between the evolving network abuse and IT teams’ comprehension of the threat these methods pose to their organization.”
“With suspect URLs in particular on the rise, companies cannot afford to overlook non-technical staff when it comes to security training – as these employees are often the most susceptible to online threats. Meanwhile the significant growth of network attacks relying on methods such as DDoS, ransomware, SSL attacks and advanced stealth techniques should urge IT departments and security professionals to assess their security strategies in line with these rising threats. Beyond simply deploying new security technology, IT professionals should assess how their existing systems communicate with each other to better secure their entire network.”