Strengthen Your Human Firewall: How Cybersecurity Training Protects Your Organisation

Why Cyber Security matters

October is Cyber security Awareness Month, making it an ideal time to take stock of staff awareness of cyber security essentials. Why is this important?

In 2024, Australians reported over 601,000 scams, resulting in $2.7 billion in losses, according to the latest ACCC Targeting Scams report.

Successful attacks cost organisations time and money. Losses can include fraudulent diversion of funds, costs of investigation and remediation, management time spent addressing data breaches and communicating with stakeholders and customers, lost productivity, and damage to reputation.

Phishing remains the most prevalent kind of attack. The Zscaler ThreatLabz 2024 Phishing Report observed a 58% year-on-year increase in global phishing attacks for 2023, and the international Anti-Phishing Working Group declared 2023 “the worst year for phishing on record.” While most phishing attacks still originate from the US, UK, Russia and Europe, ThreatLabz noted a nearly five-fold increase in attacks originating within Australia.

 

Phishing: The Biggest Threat and the importance of staff training

Phishing targets individuals via email, text messages, phone calls and other communication channels. A phishing attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, login credentials, or other sensitive information. As a popular form of social engineering, phishing involves psychological manipulation and deception. Threat actors masquerade as reputable entities to mislead users into performing specific actions. These actions often involve clicking links to fake websites, downloading and installing malicious files, or divulging private information like bank account numbers or credit card information. This can escalate into Business Email Compromise, where an attacker manipulates legitimate invoices by replacing banking details, attempting to divert payments to a bank account they control.

While Infoxchange is implementing additional technical protections within your organisation – see the summary below – these aren’t enough. The human element is a key factor in almost all cyber security breaches, and your and your staff’s preparedness is critical. Cyber security awareness training not only protects your organisation’s resources and reputation but also strengthens your and your colleagues’ resilience, enabling better protection against scams and losses. Anything you do to strengthen your “human firewall” reduces the risk of loss and data breach.

 

What can you do to reduce your risk of being phished?

Everyone, including you and your organisation should undertake cyber security essentials training, repeating it at least annually. This reduces susceptibility to phishing and social engineering attacks by 20 to 25% so is a worthwhile investment in risk reduction. Recent research shows managers are roughly twice as susceptible to phishing attacks as frontline staff, so every one of us needs to do this. We offer free online self-paced cyber security essentials training to all non-profit sector workers. Sign up for free cyber security training now.

An ongoing monthly program of cyber security training and phishing testing is even more effective, reducing susceptibility by 75 to 80%. We offer the uSecure ongoing cyber security training and testing service. Ask us for more information if your organisation needs to measure, minimise or report on your “human firewall” risk with minimal implementation effort.

Avoid delays in cyber security essentials training, if your organisation hasn’t yet implemented it.  You can also share these tips with your staff:

1. Be skeptical of urgent or unexpected requests. Don’t open attachments you didn’t specifically ask for. If you do open them and are asked for your password, stop – get a second opinion before you do anything.
2. Don’t trust, verify – check the From: address carefully to make sure it’s legitimate, and phone the claimed sender using contact details you already have to check if they sent it. If they confirm it’s legitimate, no harm is done; if not, they should raise it with their IT Helpdesk as they may well have been breached, and you should report the email as phishing…
3. If you believe a message is a phish, hit the “Report message” button and choose Phishing. This accelerates the identification of zero-hour phishing attacks by Microsoft Defender for Office (“MDO”).
4. Don’t rush to act on unexpected or strange requests, especially if they’re trying to convey a sense of urgency. While Microsoft Defender for Office prevents around 96% of phishing emails from ever reaching the Inbox, some “zero-hour” threats make it through. However, once they’re identified as threats, often within an hour or so, Defender auto-purges them from all mailboxes across Microsoft 365. So if you delay acting on a suspicious email for an hour or so, Defender may well auto-purge it before you come back to it, if it has been confirmed as phishing.

 

What is Infoxchange doing to help protect your organisation?

We believe a “defence in depth” strategy is essential to protect your organisation against cyber security threats and as your Managed IT Services provider, we lead on implementing technical controls that complement your staff cyber security training.

We implemented MFA for access to Microsoft 365. In the changeover to Connectwise Remote Management & Monitoring, we implemented rapid patching of vulnerabilities across the workstation fleet we manage, to minimise the time windows within which they can be exploited.

We implemented Microsoft Defender for Office advanced mail filtering to not only defend against 96% of email threats before delivery but also purge and disable those discovered after delivery.

We implemented geo-blocking to defend against offshore attacks. While Australian-based attacks have been a relatively minor proportion of global attacks in the past, they grew nearly five-fold last year and we expect that growth to continue so that this strategy will decline in effectiveness year on year.

We are further hardening Microsoft 365 configurations (this is work in progress).

We are replacing Bitdefender with Microsoft Defender for Endpoint for market-leading endpoint protection (work in progress).

We plan subsequently to implement Office Macro controls and Application Controls to round out the Essential Eight Level 1 protections against common exploits.

 

What are your next steps?

Security is everyone’s responsibility.

1. Your organisation must prioritise staff training. If you don’t yet have a cyber security training program for staff and volunteers, ask us about uSecure. Or else implement our free online self-paced cyber security essentials training in your organisation – don’t forget to include it in staff induction and repeat it at least annually.
2. Explore our October cyber security webinar offerings, designed to help NFP Managers navigate the ever-changing cyber security landscape.
3. Ask your Customer Engagement Manager about a cyber security assessment to identify any gaps in your cyber security and develop an actionable improvement plan.