There is a cyber attack every 10 minutes in Australia, with 43 per cent of these attacks targeting small businesses like real estate agencies. But some of your colleagues are far more likely than others to fall victim to these dirty tricks. Let’s look at the research to see who on your team is most likely to fall for a hack.
The stakes are high because the average cost of a cyber attack to a real estate agency is $40,000. And that doesn’t include the cost of the damage to your reputation and of responding to compliance and regulation.
Undergoing cyber awareness training can reduce your team’s risk of being tricked down to nearly zero. This is because our research shows that 85 per cent of cyber attacks that succeed do so because of actions taken by employees.
Small businesses are seeing a return on investment of 69 per cent when taking cyber awareness training. When employees are knowledgeable about the threats they may encounter or vulnerabilities they may have accidentally exposed, they develop the skills needed to be the first line of defence. They become what you might call a human firewall.
After cyber awareness training, the number of security incidents due to user error significantly decreases. And fewer incidents mean less time spent dealing with malware, ransomware, stolen credentials, stolen funds, locked-down computers, and other cyber security fails.
CEOs are the biggest risk
You might be surprised that securekonnect.com research has found an organisation’s senior leaders are often the most vulnerable. That’s right, CEOs and board members are often the route that hackers use to get access to a company’s system, money, and data.
Partly, that is because such top executives are an attractive target for hackers. It is also because an organisation’s leaders are much more likely than other employees to have the company’s most valuable information on their laptop, in their email and, in their cloud account.
While CEOs and board members are the most vulnerable, they are not generally the most careful about preventing cyber attacks.
In one instance, securekonnect.com trainers found the company CEO had the weakest password of anyone in the entire organisation. It was his pet lizard’s name and his own date of birth.
Let this be a lesson to you; never use your pet lizard’s name as your password.
During penetration testing, we were able to find this CEO’s password, some of his financial details, and records of his online activity on the dark web. Hackers can get their hands on all this valuable information in mere seconds.
Hackers are very aware of how much data real estate agents collect. They are also efficient in that they tend to opt for the low-hanging fruit first. Companies that take security measures will be deemed too hard, so hackers will seek out easier preys.
Admin staff are often targeted
Besides the CEO, other common targets are the most junior people on the team and admin assistants who have responsibility for collecting and storing data. They often prove an all too easy target.
One hacker strategy is to monitor new starters at an agency because they are still learning their employer’s policies and security procedures. They often have to learn new passwords and log in credentials, and will very commonly store this information where a hacker can easily find it, such as in a Google doc or email.
Almost half of small businesses have been phished
Forty-five per cent of Australian small businesses have been victims of phishing. Phishing involves sending emails and texts that appear to be legitimate messages. They entice you to click on a link or tee you up for the next message.
Phishers usually try to appear to be one of your contacts, a bank, or a customer. A common phishing technique in 2023 is to send a message that appears to come from a colleague’s or relative’s mobile number asking for money.
Once you click on a link, it can automatically install software on your device, allowing the criminal access to all your files. Extortion and ransom often follow.
The level of sophistication is now so high that it is only a matter of time before unwary victims fall for one of these attacks.
Even experienced cyber security professionals can be tricked. I know a long-time cyber security professional who fell for a phishing email just last week. Luckily, he keeps his data encrypted, so the phisher got nothing. But very few people are protected in this way.
What to look for in training
Prevention and preparation are both key.
Even though the CEO may be the most targeted, no company can consider itself protected unless the whole team has been through a good cyber awareness training.
The best training is bespoke and in-person — or at least live. The threat environment is constantly changing, so many companies look for a trusted partner to deliver training every six months.
Such training can take as little as one hour and ideally consists of an interactive session with an expert and your team. It’s more fun and interesting than it might sound.
You will learn what to avoid and will get to role play in an interactive incident response exercise. For a relatively small spend, companies significantly reduce the risk of a much larger hack or ransom and its reputational consequences.
Dr Edward Phelps is the director of consulting services at Secure Konnect.