Canadian Underwriter
News

These behaviours raise your client’s cyber risk


June 28, 2019   by Greg Meckbach


Print this page Share

Do your clients know how often their workers click on links they receive in emails that should have been flagged as suspicious?

“I wouldn’t find it unreasonable for an insurer to ask questions about phishing click-through rates,” Srinath Sampath, senior director and analyst with Stamford, Conn.-based IT research firm Gartner Inc., told Canadian Underwriter.

This is because clicking on an obviously-suspicious email is a “classic example” of bad employee behaviour when it comes to cyber risk, said Sampath. The rate at which users click on links received in emails can be a measure of whether something is not right.

Many workers fall for phishing email because they look legitimate, the University of Alberta reports. The university’s office of the chief information security officer advises users to:

  • not open attachments they were not expecting;
  • hover one’s mouse over a link to see where it leads;
  • not open an email if it looks “even remotely suspicious.”

One of the most popular cyber attack methods is to email to unsuspecting workers links to sites that actually lead to phishing attacks or malware, Sampath suggested.

Other examples of bad cyber hygiene include passwords that are easy for someone else to guess. “The name of your cat, your birth date, or the word ‘password’ are all popular and bad choices,” said Sampath, who spoke in Toronto in June at the Gartner IT Symposium/Xpo.

There are several root causes of risky computer use by employees, Sampath wrote in an email to Canadian Underwriter after the symposium. They include:

  • lack of awareness;
  • lack of understanding about how security affects ordinary workflows and objectives
  • competing priorities,

“Annual training is not going to solve everything,” Sampath said in her email. “We need a coherent strategy that includes training and awareness, but also other culture-change initiatives to fix the underlying issues.”

Understanding why your client’s workers behave the way they do is a large part of defining “corporate culture,” which Sampath explains as shared beliefs, assumptions, and values of a group of employees. This includes shared attitudes, shared perceptions, and what the workers see, hear, and feel around them with respect to cybersecurity.

“This includes both implicit and explicit messages being transmitted by senior leadership, managers, and their peers,” said Sampath.

Corporate culture includes rewards and consequences for good or bad cyber hygiene.

What are some indicators of cyber fraud?

Odd sender email addresses, for one. When it comes to incoming e-mail, users should never trust the display name. Instead they should always check the sender’s actual e-mail address, the University of Alberta advises.

An excessive number of spelling and grammar errors could also indicate a phishing attack.

Another indicator is a sense of urgency. It could be a subject line that reads: “your account has been suspended” or “unauthorized login attempt” the University of Alberta says.

“If in doubt, call the organization to verify if they sent the email.”