Be Aware or Be Sorry Blog
Be Aware or Be Sorry!
Does everyone have to take Information Systems Security Awareness training? I zoned out through all these videos for the IT people. What does all this IT stuff have to do with me? Isn’t the purpose of the IT people to take care of the IT stuff so I don’t have to? The hackers will try to get into my organization’s main machines that have the real important information. They’re not trying to get into my individual laptop!
I’m glad I watched the Information Systems Security Awareness training videos for my job today because it reminded me that my organization depends on every person to be aware of cybersecurity threats and not become a victim of them.
My entire organization can be affected by one person clicking on a link from an email. An article I read said 94% of malware is delivered by email and 95% of cybersecurity breaches are caused by human error (https://www.varonis.com/blog/cybersecurity-statistics/). This is because hackers create and send phishing emails to look like legitimate emails to trick people into clicking a link or opening an attachment.
To continue on my rant from yesterday, I just thought of another point. The hackers are trying to get peoples’ bank information to steal their money. I work in healthcare, so why would hackers care about some blood pressure and cholesterol numbers?
Yesterday’s training videos were especially important to me as someone who works in healthcare. In doing some research, I discovered that more than 90% of healthcare organizations suffered at least one cybersecurity breach in the previous three years (https://www.fortinet.com/resources/cyberglossary/cybersecurity-statistics ).
One type of malware that is really scary is ransomware, which encrypts your computer’s files and demands a ransom to be paid to decrypt the files. Healthcare has more ransomware attacks than any other industry (https://purplesec.us/resources/cyber-security-statistics/ ).
Coincidentally just after my post about the IT department the other day, IT sent an email today about performing upgrades. Exactly my point! Why do I have to take that training when all I have to do is click on the link they emailed? It’s so simple! And I promptly clicked the link and installed something called Mamba DiskCryptor. Sure does sound secure! Glad the IT department is on top of these things.
Be aware of phishing emails! I just got one today. Hackers create phishing emails that appear to be legitimate to trick recipients into clicking a link or opening an attachment. The message stated:
Haha, nice try but my training taught me to recognize the warning signs that this is a phishing email and to forward it to Incident@ihs.gov.
It’s urgently asking me to click on a link. Phishing emails often create a sense of urgency to make you click before taking time to thoroughly read, think or ask other people about it.
If it weren’t for my training, I wouldn’t have looked carefully to notice that the sender’s email address did not end with “@ihs.gov.”
This same phishing email was probably sent to many people because it started with just “Good afternoon” and didn’t address my name.
Phishing emails sometimes have spelling/grammar errors or poorly written sentences. This message didn’t have spelling errors, but it was one long, poorly written sentence with unnecessary commas. A legitimate email would definitely have been written better.
However, an email without these warning signs may still be a phishing email.
One other thing you can do to spot a phish is hover your mouse over the link to display the URL it will direct you to. But if you do this, be very careful not to accidentally click on the link.
So yesterday, the IT people sent that email about a new vulnerability. It looks like somebody didn’t upgrade their computer’s security because malware entered my organization and spread to my computer! The IT people had to take my laptop and analyze it. It was so weird that after installing Mamba DiskCryptor, my computer restarted but I couldn’t log in. Somebody is to blame for this, and it’s not me because I immediately clicked the link in the email like it said to!
The IT department sent an email about malware that entered our organization! Just like the training videos said, it was all due to one person clicking a link. I bet it was from that phishing email I wrote about yesterday.
I had to take the Information Systems Security Awareness training again. This time instead of zoning out, I learned a few things. One is that malware often enters organizations through emails to people, so the security of the organization depends on each individual person to be aware of phishing emails. Infecting an entire organization only takes one person clicking a link. (Ok, I did it.) The training also showed me practical ways to spot phishing emails. When I got home, I browsed and found a blog post breaking down the exact phishing email that tricked me! You can check it out here: Alicia’s Advice blog post 10/24/2021.
My friend just showed me the scariest Halloween costume I’ve ever seen; it was ransomware! Be safe online and in person, and have a Happy Halloween!