Employees Are Your Weakest Link Against Cyberattacks. Don't Put Them on the Front Lines
Microsoft researchers caused a stir this month with a new report revealing that spear-phishing attempts have doubled over the past year, from 0.31 per cent of total emails flagged as phishing attempts in September 2018 to 0.62 per cent in September 2019. Spear or laser-phishing attacks are highly targeted and use personal information gathered by hackers to dupe high-value employees into clicking on a malicious link or opening a malicious attachment.
The report shows that hacks have become so ingenious that even tech-savvy executives have been tricked. Yet despite unprecedented levels of phishing attacks this year on healthcare organizations, leading retail stores, financial services and even, god forbid, startups, most enterprises still place the burden of their whole ecosystem’s data security on their weakest link: their employees.
This leads me to ask - would an unarmed bank teller be expected single-handedly stop a heist? Probably not. Yet in the majority of modern enterprises, the employee is still placed at the center of prevention. According to a study by IBM, human error is the cause of 95 per cent of cyber security breaches. In other words, if human error was somehow eliminated entirely, 19 out of 20 cyber breaches would not take place at all. And it only takes one hack to comprise a whole ecosystem, and potentially ruin a brand’s reputation.
So let’s break down the different tactics used by hackers to target all levels of an organization, why current defense tactics aren’t working, and offer recommendations on how tech companies can better protect themselves:
Which Organizations Are Most at Risk?
It’s easy to assume that hackers only target ‘big ticket’ larger organizations, but this is not the case. Smaller enterprises may have less valuable data, but they also have lower security budgets. Recent studies show 43 percent of cyber attacks target small businesses, and that it takes an average of six months before founders realize they’ve been compromised.
SMBs and startups are easier to compromise, and often used to gain backdoor access to higher-value targets. Because hackers often attack early-stage startups as a gateway to access the banks, VC firms, or service providers (like lawyers or PR firms) who these organizations communicate with.
Which Employees Are Most at Risk?
One of the most hard-hitting takeaways from the Microsoft report is that top-level executives with years of experience are being fooled by increasingly ingenious attacks.
Phishing attacks are becoming more targeted than ever before. Hackers will do their research on executives - they will follow social media accounts to see which events they are attending, check out who they tag in photos, and their find photos on Linkedin. They then use that personal information make their targets click first and think later, with perfectly timed, contextual messages such as: ‘Hey it was awesome meeting you at X conference, based on our chat you might find this useful’
But a common misconception is that these ‘high value’ targets are always the most at-risk. While C-suite, HR or finance professionals may offer access to highly sensitive customer and enterprise data, which can be sold for a pretty penny on the dark web, these professionals are also the most likely to be well-versed in cybersecurity prevention techniques.
In my experience, seeing as hackers only need one entry point to compromise a whole organization, they tend to play the long game and start at the bottom of the company hierarchy. They first target lower-level, less experienced employees using social engineering, then use ‘lateral phishing’ techniques to gain access to the communications of a number of employees, one by one.
All they need to do then is play the waiting game until one of those employees communicates with a ‘high value’ target via email, offering a hacker the chance to strike. They will choose the right email - for example, one requesting a report - and slide in a malicious file or link.
Why Are Educational Solutions Falling Short?
The fact that KnowBe4 raised an additional $300 million in funding this year, and Wombat was acquired for $225 million back in 2018, shows there is a lot of demand for security awareness tools within companies. Training about phishing detection, password hygiene, and new risks is extremely important. To be clear, companies SHOULD use these tools to train their staff.
But there is a risk of training fatigue setting in if users are not given personalized, actionable feedback. Most leading simulation tools will notify managers about employees behaving in an unsafe manner, but don’t actually correct the user in real time. Also, in the age of social engineering, when attacks are becoming hyper-personalized, it is almost impossible to create standardized ‘warning signs’ for employees to look out for.
In a recent interview with TNW, Adrien Gendre, Chief Solution Architect at Vade Secure said that “Training employees on what to click is useful, but the current form of training alone is not adequate. It’s of little use when attackers keep changing their techniques every few months. It needs to be contextualized so that employees can identify malicious content when they see it.”
With as many as 80 per cent of security breaches still blamed on human error, one has to question the effectiveness of security training tools. Leading providers promise to be able to reduce the number of clicks on potentially harmful content from an average of 30 per cent down to 2 per cent after one year’s training. However, in large organizations with hundreds or thousands of employees, this small percentage could still pose a huge amount of risk. After all, it only takes one mistake to compromise a whole system.
How to Really Remove the Risk of Human Error
I believe that the only way to really defend enterprises is to take the weight of cyber defense off employees’ shoulders.
Hiring CISOs is a good start. CISOs play an important role in convincing leadership of the gravity of risks and ensuring that adequate budgets are assigned for training and buying security solutions. They are also qualified to roll out personalized staff training that focuses on small, actionable measures catered to specific work roles.
CISOs could send monthly reminders to change passwords and teach teams how to implement measures such as multi-factor authentication (MFA), or Single Sign-On (SSO), allowing employees to focus on their main responsibilities without compromising security. For enterprises with bigger budgets, biometric logins - which allow staff to log in to devices with the touch of a finger, or scan of an eye - are proving effective too.
However, enterprises ultimately need to onboard emerging technologies that automatically shut down attacks, even if a distracted employee tries to click on a link to see photos from a recent conference. New solutions that use NLP, machine learning and machine vision AI can automatically detect, flag, and block potential breaches from malware or phishing, the most common attack tactics.
High-value targets, such as healthcare providers, are increasingly rolling out AI solutions to remove the cybersecurity burden from their already busy staff, using both cloud solutions and endpoint defense tools. After all, there is no point in keeping networks safe, if hundreds of endpoints are left unsecured.
The year 2019 was a dreadful year for phishing attacks, but now thanks to reports from organizations like Microsoft, the threat from phishing and malware attacks are clearer than ever. It is now the responsibility of businesses to create cybersecurity cultures that keep employees informed of risks and teach them strategies to stay one step ahead of hackers, but that consciously avoid placing employees at the center of prevention itself.
Because really, if you’re not in a Tom Clancy novel, should the defense of troves of critical data worth millions of dollars ever fall solely on one person?