From ransomware incursions to a smartphone QR scan scam known as quishing, the corporate world is surrounded by daily cyber threats — and the success of most attacks can be traced to employees uneducated about how to thwart some common attacks, according to a panel of cybersecurity experts.

Cybersecurity attacks often prevail due to “a failure of imagination, when you sit back and think ‘that’s never going to happen’ and then it does,” said Renee Wynn, former chief information officer for the National Aeronautics and Space Administration.

“The first part is educating people,” she said. “Cyber is a human issue, not a technical issue. It’s humans trying to steal your data. It begins with someone deciding they want to steal.”

How to best address cybersecurity risk was the subject of a webinar on best practices to manage the biggest cyber threats sponsored by the Travelers Institute. The presentation Wednesday was coordinated with October being designated Cybersecurity Awareness Month, an annual tradition since 2003 by the U.S. Cybersecurity and Infrastructure Security Agency. 

Phishing remains the “No. 1 attack vector” for cyber criminals, said Tony Collings, the CISA regional coordinator for Illinois. “It’s just easy, and it still works — it’s very effective,” he said. Phishing involves a threat actor sending emails designed to look authentic, hoping the recipient will share data.

Phishing attacks also display seasonal patterns, with holidays corresponding with a rise in attacker efforts. The November U.S. presidential election has also provided an opportunity for criminals to phish, Collings said.

Ransomware attacks also remain exceedingly popular, although attackers have begun to pivot toward smaller targets they believe might have insurance coverage for such attacks so they can leverage the coverage for a payout, Collings said.

“They’re targeting vulnerabilities and if they happen upon a small company they’re perfectly happy to take money from the small company as they are with a mid-sized or larger organization,” said Tim Francis, a Travelers vice president who works as enterprise cyber lead.

CISA has coined terms for several variations on the phishing technique: 

• Vishing: phone calls or voicemails that purport to be from legitimate businesses or organizations seeking personal data
• Quishing: a QR code that directs the scanner to a malicious website seeking personal data
• Smishing: mobile phone texts that try to lure the recipient to download malware or enter personal data at a website.
• Spear phishing: a phishing attack customized for a specific organization or person, using details a criminal gleans about the person or company being targeted, hoping to increase the apparent authenticity of the message

Most of these efforts succeed when people are busy or rushed, not predisposed to ponder a suspect message carefully, Collings said. The best way to stymie such an attack is to ignore the email or other communication at the moment.

“Go back to them and act on them when you have time to think,” he said. “Don’t be reactive. That is the key for them — they can get you emotionally invested or [impose] an urgency to the whole thing and boom, away we go.”

The panel offered five best practices for companies to improve their cybersecurity preparedness:

1. Multi-factor Authentication. While banks and other financial institutions have made strides in promoting this security measure, many other organizations have not. More than half (52%) of small businesses reported not using MFA, according to survey data Travelers presented.
2. Update systems. Keeping current software, with security patches and other updates, is critical for IT health. Legacy hardware systems should also undergo periodic reviews for security vulnerabilities.
3. Endpoint detection + response. A technical approach to continuously monitor a network and the devices connected to it for cyber threats and incursions.
4. Incident response plan. Companies should be prepared for an attack and have a relatively comprehensive, written plan for how they would respond. The plan must include not just IT professionals but also the legal team and communications executives prepared to speak to the public. “When you have an incident, people kind of lose it and everybody’s trying to figure out what to go on,” Collings said.
5. Data redundancy. Regular data backups are critical to help an organization continue to function if it’s attacked.