Email-based cyberattacks are on the rise and heat up before the Christmas retail peak period. No industry is immune; approximately 185,000 1 Irish workers have fallen victim to a phishing scam. These attacks are often a result of an organisation’s staff members risky online behaviour and a lack of investment in cybersecurity policies, training and awareness.
Common email cyber-attacks
Phishing attacks impact retailers at 41% 2 far more than other industries. During the Christmas retail peak period, people may be distracted thinking about Christmas or expecting parcels to arrive.
Hackers exploit retailers’ peak period and staff’s lack of cybercrime understanding, training and awareness and will use sophisticated phishing methods, such as:
- Sending a scam email from CEO to a member of staff asking them to make an urgent invoice payment. GARDAÍ saw a “noticeable increase” in scams requesting a business change supplier bank account details to bank accounts controlled by criminals.
- Targeting HR to send employee’s pay to a new bank account.
- Requesting employee’s login credentials to access their payroll account details and bank account information.
Phishing attacks that result in access and compromise of customer personal data carry some of the most significant cyber risks and consequences for an organisation, which include; loss of customer trust, damage to retailers’ reputation and hefty GDPR fines from the Data Protection Commission. Customers are also likely to take their business elsewhere if they are subjected to a personal data breach.
Lack of investment
Staff are often not clear on how their risky online behaviour could result in a compromise of customer, staff or company information because:
- Policies: No cyber company policy exists or has been published. If a cyber policy exists it’s overly technical, out-of-date and difficult for staff to understand;
- Training and awareness: Staff has not been trained or tested on their understanding of the cyber policy and procedures or external cyber threats and risks. Also, many retailers will rely on temporary staff during the festivities, who have limited cyber awareness, significantly elevating the risk; and
- Culture: Senior leaders do not walk the cyber talk.
These days technology is less likely to be the cyber vulnerability for an organisation; it’s the human risk that poses the most significant risk - investing in educating humans and making them cyber aware needs to be a priority for all retailers, regardless of size.
How to establish cyberculture
Delivering continuous cyber education to help individuals understand the risks and consequences of their behaviours is key to ensuring cybersecurity becomes part of a retailer’s corporate culture. Here are some tips to get started:
- Get senior management buy in to set up cyberculture, training and awareness program
- Start by communicating how staff can protect themselves and their family members on a personal level (tap into the ‘what’s in it for me’)
- Establish cross-functional cyber champions (movers, shakers and influencers)
- Develop fun, creative and engaging cyber policy with the business (use graphics to tell the story)
- Deliver role-based cyber training enabling staff to work through interactive modules to reinforce policy and procedure learnings
- Tailor and use real email phishing threats to an organisation. Select staff to test and provide immediate teachable moments to reinforce expected behaviours.
- Sequence cyber awareness activities based on risk and theme such as; town hall events, lunch and learns, poster campaigns, quizzes, videos, and visible senior leadership engagement
Cyber threats are dynamic and continuously changing before your organisation falls victim to the next email-based headline news cyberattack, remind staff to ‘stop and think’ before opening links and attachments during the festivities and wisely invest in a cyberculture, training and awareness program.
For more information contact Sarah at email@example.com
This article first appeared in the December 2019 edition of ShelfLife magazine.