2021.02.23
How to Protect Yourself from Targeted Email Attacks? The Importance of Information Security Education
-
Category
Recommended Articles
-
What is Vyond? Introducing the benefits of an animation video creation tool that can also be used for business.
-
[Animation Material Production] How to Create e-Learning Materials ②
-
How is Vyond different from other animation production software? Comparison and recommended points
-
Can Vyond animation be used as teaching material? Introducing the benefits of using it for e-learning and training.
-
Create Business Animations with Vyond! Explaining the reasons, benefits, and challenges recommended for business.
-
Vyond Go (AI Video Generation) Tips and Best Practices① Vyond Go Setup Guidelines
-
[Moodle Basic Course] What is Moodle?
-
[Moodle Basic Course] What can Moodle, an e-learning management system, do?
-
【Moodle Basic Course】What You Can Do with Moodle's Default Features
-
Benefits and Considerations of Moodle Cloud Services
-
Moodle is not only used in universities (widespread use)
In order for companies and organizations to conduct their business with peace of mind, information security measures are essential.
Companies not only hold information about their own employees, but also various companies and individuals such as business partners and contractors. If this information is leaked illegally, the company will lose trust and undoubtedly suffer significant damage.
It is a challenge that all companies should undertake to ensure information security by implementing virus protection software, establishing internal rules, and conducting information security education to prevent information leaks.
Table of Contents
1. Various Information Security Risks Surrounding Companies
2. Increasing Incidents of "Targeted Attacks"
3. Targeted Attacks are Becoming More Sophisticated! Misconceptions about "Only Targeting Large Companies"
4. Targeted Attack Emails Cannot be Blocked by Security Software!
5. Foster Individual Security Awareness Instead of Relying Too Much on Systems and Software
6. e-Learning Materials Available for Information Security Measures
1. Various Information Security Risks Surrounding Corporations
The starting point for information security measures is to understand what "risks" exist. In the course of business, we consider the risk of leaking confidential information.
There are "threats" and "vulnerabilities" in risks. Threats are factors that cause risks. There are human-induced threats and environmental threats such as disasters.
| Human Threat | Intentional | Viruses, theft, eavesdropping, unauthorized access, information tampering, etc. |
|---|---|---|
| Incidental | Careless mistakes such as losing recording media or documents, sending to the wrong recipient, and leaking information from conversations. | |
| Environmental Threats | Fire, earthquake, lightning strike, flood, etc. | |
Vulnerability is a weakness that can be exploited by threats. It refers to security holes such as insufficient virus protection, software bugs, and unlocked buildings.
The more vulnerabilities there are, the more likely malicious attackers will target them and steal confidential information.
2. Increasing Damage from "Targeted Attacks"
When it comes to malicious cyber attacks, in the past, the main trend was targeting a large number of unspecified individuals, like pranksters. However, recently, attacks aimed at specific organizations or individuals for financial gain have become more prevalent.
These attacks, targeting specific organizations or individuals, are called "targeted attacks".
One of the most common types of targeted attacks is through email.
For example, an attacker targeting confidential information from Company A may send a disguised email to an employee of Company A, infecting their PC with a virus. From the infected PC, the virus can spread through the internal network, stealing confidential information or causing system damage.
These attacks often occur over a long period of time and it is not uncommon for information to be stolen without the victim's knowledge.
According to the "Top 10 Information Security Threats" released annually by the Information-technology Promotion Agency (IPA), targeted attacks have consistently ranked first in the "Organizational Threats" category for the past 5 years since 2016. Prior to 2015, there was no distinction between "Organizational" and "Individual" threats, so since the start of researching organizational threats, targeted attacks have remained in the top spot. This shows just how damaging these attacks can be.
| Rank | Threats in an Organization | Last Year's Ranking |
|---|---|---|
| 1st | Theft of Confidential Information by Targeted Attacks | 1st |
| 2nd | Information leakage due to internal misconduct | 5th |
| 3rd place | Financial Damage Caused by Business Email Fraud | 2nd |
| 4th | Exploiting Weaknesses in the Supply Chain | 4th |
| 5th | Damage caused by ransomware | 3rd place |
| 6th | Business Interruption Due to Unexpected IT Infrastructure Failure | 16th |
| 7th | Information leakage due to carelessness (compliance with rules) | 10th |
| 8th | The theft of personal information from services on the internet | 7th |
| 9th | Unauthorized Use of IoT Devices | 8th |
| 10th | Service disruption due to service sabotage attack | 6th |
Source: https://www.ipa.go.jp/security/vuln/10threats2020.html
In November 2020, a major Japanese game company experienced a targeted attack that resulted in the leakage of personal information and a demand for ransom. It appears that the company was infected with ransomware (an attack that demands ransom in exchange for stolen information), potentially resulting in the leakage of up to 350,000 pieces of personal information.
3. Targeted attacks are becoming more sophisticated! "Only large companies are targeted" is a misconception
The tactics of targeted attacks are extremely sophisticated. They carefully research the targeted company and launch attacks after considering factors such as "what kind of subject line would make employees more likely to open the email." They may also investigate employees' social media accounts and even internal relationships.
The sender and attachments of the email are also disguised in a way that is not easily detectable at first glance.
Targeted attacks are often thought to only target large corporations and not be relevant to oneself, but this is a misconception. Regardless of the size of the company, department, or position, anyone can be a target.
For example, attackers targeting Company A will set traps for anyone even remotely related to the company, such as their subcontractor Company B, re-subcontractor Company C, business partner Company D, and server management Company E. If even one person is infected with a virus, it can spread and eventually reach Company A's confidential information.
4. Targeted email attacks cannot be blocked by security software!
If it is an obviously spam or nuisance email written only in English, it can be blocked by anti-spam software. Some companies may also block suspicious emails before they reach individual mailboxes.
However, the scary thing about targeted attack emails is that they disguise themselves as "ordinary business emails" in both the subject and content. There is no software that classifies emails with titles such as "quotation request" or "meeting minutes sent" as spam. As a result, emails with attached viruses can reach individual mailboxes.
If it cannot be mechanically bounced, there is no choice but to judge whether the email is real or fake with human eyes.
・Is your email address correct? Are you not using a free email address?
・Is there anything strange in the body of the email?
・Is the attached file not disguised?
Each employee needs to develop the ability to notice slight differences from regular business emails.
5. Cultivate individual security awareness without relying too much on systems and software.
It is necessary to introduce systems and software for information security measures, such as virus protection software. However, information security measures are not simply about "being safe" by introducing this security software. Attackers are becoming more and more sophisticated, and there are increasing attacks that cannot be prevented by software alone.
It is important to abandon the idea of "always being protected and safe" and for each employee to acquire the correct knowledge of information security measures and to be careful in their daily work. Let's cultivate individual security awareness through information security education.
6. e-learning materials that can be used for information security measures
Provided by Human Science Co., Ltd., e-Learning Manuscript Easy Arrangement Series "Basic Information Security Measures for Companies and 2020 Case Studies" is a course that can be used for information security education for employees as one of the measures. It introduces three threats: "Targeted Attacks," "Attacks on Supply Chains," and "Ransomware."
Since it is in PowerPoint format, you can freely edit it by adding your company's policies and case studies, or adding a message from the president.
In addition to three threats, there is also a "Basic Course for Information Security Measures in Corporations" where you can learn basic knowledge.
If you are concerned about information security measures, please consider it!
e-Learning Manuscript Easy Arrangement Series
Fundamentals of Information Security Measures in Corporations: 2020 Case Studies
Fundamentals of Information Security Measures in Corporations
Author:
Sayoko Shirochika
Education Solutions Department Production Group
Writer/Consultant
Since joining the company, has been consistently involved in e-learning production.
In addition to overseeing the entire project as a director, also specializes in writing scenarios for e-learning.
Currently, utilizing past production experience to also work as a consultant for instructional design, scenario writing, and e-learning.
Contact Us:
Phone Number: 03-5321-3111
hsweb_inquiry@science.co.jp
Latest Blog
- 2024.04.02
- English Learning Using Moodle and ChatGPT
