The human aspects of cyber security

30 January 2020

Original content provided by BDO

The weakest component within an organisation – the people


  • The number of reported phishing emails keep increasing significantly (almost 40% versus last year)
  • Because more phishing emails were/are reported, people will become increasingly more aware, and cybersecurity authorities are able to block more malicious websites
  • Phishing remains the most popular technique for hackers, because it addresses the weakest component in the organisation – its people.  But phishing is not limited to email; today hackers use ‘messaging services’ – such as Whatsapp, Facebook, Messenger, SMS, … this is referred to as ‘smishing’ or ‘sms-phishing’.

How to identify a suspicious email/sms?

  • A phishing-mail or sms is often received unexpectedly and without a clear reason.
  • A mail or sms can be intimidating (urge you to take immediate action) or on the contrary can make one curious.

The “obvious” features you can look out for in phishing emails include:

  • Mistakes of spelling and grammar. Phishing emails often look unprofessional, unlike the genuine emails they are pretending to be.
  • Incorrect or vague greetings. Phishing emails often say “Dear Sir/Madam” or “Dear Customer” because the crooks don’t actually know who you are, something a genuine email sender would know.
  • Errors in regional usage. Phishing emails may use the wrong currency symbols, an unusual date format or an unexpected word that a genuine sender would get right.
  • Incorrect or unlikely web links. Phishing emails generally rely on getting you to click through to a web domain that’s different from the genuine site.
  • But not all phishers make all these mistakes, so that if you rely heavily on the presence of obvious mistakes to make phishes obvious, you’re more likely to get caught out.

Other useful tips

  • Don’t enter passwords into login pages that show up after you click on a link in an email. Bookmark the official login pages of your favourite sites, or type the URLs into your browser from memory.
  • Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
  • Don’t ignore browser warnings about insecure sites and data input forms. Unencrypted web pages are typically the sign either of a lazy crook or of a site operator who’s not up to speed on security.

The Do’s and Don’ts of a secure password



Combine uppercase and lowercase letters, numbers and symbols

Do not use a predictable password (such as YourName1988)

Use a long password – at least 13 characters

Do not share your password & keep it hidden

Base it on an easy to remember sentence

Change your password regularly – at least every 3 months

Use a two-step verification: combination between something you have (mobile phone/fingerprint) and something you know (password).
Step 1 = logging in with a password
Step 2 = that account sending a code to your mobile phone for verification

Do not use the same password for different accounts

Use a password vault – e.g. LastPass, Fastlane, LogMeOnce, Myki, 1Password, Dashlane, etc. - which keeps all your accounts and associated passwords safe

Do not use secret questions (such as the name of your mother-in-law, …)

Organisations may not realise how valuable a cybersecurity strategy is until there’s a vulnerability. BDO wants to make sure your organisation never faces that situation. BDO professionals are available to provide guidance and specialised resources surrounding any cyber security issue. Learn more about Cyber Security.