Every Employee Should Be Considered A Target

The year 2020 has shaken the foundations of our personal and working lives and left us scratching our heads, begging a single question: just how vulnerable are we in this newly emerging world order?  COVID-19 was quick to answer that - it tested many of our defenses, and, quite frankly, we barely scraped a passing grade.  By Vytautas Kaziukonis

The recent pandemic has not only exposed our fears and anxieties but also unraveled many holes in our workplace cybersecurity systems. What’s worse is that our cyber security  issues and increased emotional susceptibility have paved the way for phishing and BEC’s (Business Email Compromise) to flourish in a time of distress and social isolation.

Spear phishing (or targeted phishing) attacks were the most prevalent and successful social engineering forms in 2020. They allowed cyber criminals to tailor scams for individual employees and leverage the stress and uncertainty of COVID-19 by using their personal data. 

From what we see so far, cyber crime is evolving faster than most organizations can keep up. To combat social engineering, companies should begin treating every employee as a cyber attack target. Here’s why.

A Single Employee’s Credentials Can Cost An Entire Company

Many organizations pool vast amounts of resources to build and maintain their cyber security infrastructure, and some senior-level employees often have full access to a company’s security systems. It’s similar to having a multi-door secured vault and giving one of the bank managers a skeleton key to open them. If this skeleton key (or employee’s credentials) is phished from the manager’s pocket by a threat actor via a compelling email or a malware-ridden link, this can put an entire company in danger.  

It’s not just about losing assets or data either. Travelex, a predominantly online currency exchange business went out of business following crippling ransom attack, thought to originate is a successful phishing email.

To avoid becoming another example of how potent social engineering can be, it is essential not to trust a single employee with full system access. Anyone can be spear-phished, and everyone makes mistakes.

VIPs are not always VAPs

While CEOs, VPs, and other employees holding influence or administrative credentials may all be tempting phishing targets, they are not always “VAPs” (Very Attacked People). Staff members who do not hold managerial positions receive substantially more malware and credential phishing attempts than their seniors. Hence, it is dangerous to assume that the company’s VIPs are the only targets prized by cyber criminals. Cybersecurity should be the responsibility of everyone in the organization, and employees of all levels should be educated on how to spot, avoid and report cyber and phishing threats.

The Web Is Ripe With Information For Phishing

People seldom think about what information they put out about themselves online. Like a magnifying glass into someone’s personal life, social media can reveal a person’s hobbies and interests, or even their traveling habits and trips abroad with exact dates and locations. This information can help a phisher write compelling scam emails to their victims or even make it easier to impersonate someone they know.

Engaging in social media is anyone’s freedom of choice and, most times, completely unrelated to a person’s workplace responsibilities. Hence organizations and companies can’t account for their employees’ online actions outside of their work environment.What makes the situation worse is that social engineers may not necessarily need direct access to someone’s social media profile for said information. There exist databases with billions of personal data records from websites like Facebook, Twitter, LinkedIn, and Github. These profiles have been leaked and compiled over the years, so the number of possible attack vectors is too great to consider.

The only thing organizations can do is adopt a holistic approach to their security infrastructure and treat every single company’s employee as a potential point of breach.

An Individual / Collective Approach To Cyber Security

The age of social engineering is calling for a change in how we approach cybersecurity. Protection that technology offers is not enough - phishing, spear phishing, and BECs prey on people’s emotions and susceptibility to authority. Every employee, be it a senior, mid or junior, comprises an organization as a whole, and threat actors can target any one of them.

The best strategy to tackle the social engineering craze is to identify and prevent every possible point of a breach in a company’s security system. This means considering every employee as a potential cyber attack target and taking preventive measures like MFA (multi-factor authentication), training, incentivizing, and education. Only this way will we be able to protect organizations from being compromised by the human factor.

Vytautas Kaziukonis is the founder and the CEO of Surfshark, a privacy protection toolset developed to provide its users with an ability to enhance their online security seamlessly.The core premise of Surfshark is to humanize online privacy protection and develop tools that protect users’ privacy beyond the realm of a virtual private network (VPN).

Image: Unsplash

You Might Also Read:                                                                                 

Top Cybersecurity Threats & Solutions To Empower Every Business:                  

 

« Cyber Security Insights For Executives
Friends Reunite As Facebook & Australia Make Up »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ON-DEMAND WEBINAR: Learn how SOAR helps you streamline security

ON-DEMAND WEBINAR: Learn how SOAR helps you streamline security

Watch this webinar to explore the Security orchestration, automation, and response (SOAR) paradigm, its relationship with organization IT practices, and its role in your security strategy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Identity Theft Resource Center (ITRC)

Identity Theft Resource Center (ITRC)

ITRC is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.

Hotlava Systems

Hotlava Systems

HotLava network adapters enable today's powerful servers and workstations to deliver more productivity by reducing congestion at the network interface.

RSA Insurance Group

RSA Insurance Group

RSA is one of the world’s leading multinational quoted insurance groups. Commercial services include cyber risk insurance.

European Cyber Security Organisation (ECSO)

European Cyber Security Organisation (ECSO)

The main objective of ECSO is to support all types of initiatives or projects that aim to develop, promote and encourage European cybersecurity.

Beachhead Solutions

Beachhead Solutions

Beachhead's SimplySecure is a configurable, web-based management tool allowing you to remotely secure vulnerable mobile devices in your organization.

CS Group

CS Group

CS Group offers a complete range of security solutions from consultancy to security maintenance and from secure infrastructure design to security governance.

Delta Risk

Delta Risk

Delta Risk is a global provider of managed security services and cyber security risk management solutions to government and private sector clients.

National Cybersecurity Student Association (NCSA)

National Cybersecurity Student Association (NCSA)

The National Cybersecurity Student Association is a one-stop-shop to enhance the educational and professional development of cybersecurity students through activities, networking and collaboration.

Capsule8

Capsule8

Capsule8 is the only company providing high-performance attack protection for Linux production environments.

Kleiner Perkins

Kleiner Perkins

For five decades, Kleiner Perkins has made history by partnering with some of the most ingenious and forward-thinking founders in technology and life sciences.

Blue Cedar

Blue Cedar

Blue Cedar's mobile app security integration platform secures and accelerates mobile app deployment for enterprises and government organizations around the world.

WolfSSL

WolfSSL

wolfSSL is an embedded SSL/TLS library providing secure communication for IoT, smart grid, connected home, routers, applications, games, phones, and more.

Cybrella

Cybrella

Cybrella offers professional cybersecurity services for small to medium sized businesses and to larger enterprises looking to expand their cybersecurity capabilities.

SecurIT360

SecurIT360

SecurIT360 is a full-service specialized Cyber Security and Compliance consulting firm.

Gravitee

Gravitee

Gravitee helps organizations manage and secure their entire API lifecycle with solutions for API design, management, security, productization, real-time observability, and more.

Chainguard

Chainguard

Founded by the industry's leading experts on open source software, security and cloud native development, Chainguard are on a mission to make the software supply chain secure by default.