Every Employee Should Be Considered A Target

The year 2020 has shaken the foundations of our personal and working lives and left us scratching our heads, begging a single question: just how vulnerable are we in this newly emerging world order?  COVID-19 was quick to answer that - it tested many of our defenses, and, quite frankly, we barely scraped a passing grade.  By Vytautas Kaziukonis

The recent pandemic has not only exposed our fears and anxieties but also unraveled many holes in our workplace cybersecurity systems. What’s worse is that our cyber security  issues and increased emotional susceptibility have paved the way for phishing and BEC’s (Business Email Compromise) to flourish in a time of distress and social isolation.

Spear phishing (or targeted phishing) attacks were the most prevalent and successful social engineering forms in 2020. They allowed cyber criminals to tailor scams for individual employees and leverage the stress and uncertainty of COVID-19 by using their personal data. 

From what we see so far, cyber crime is evolving faster than most organizations can keep up. To combat social engineering, companies should begin treating every employee as a cyber attack target. Here’s why.

A Single Employee’s Credentials Can Cost An Entire Company

Many organizations pool vast amounts of resources to build and maintain their cyber security infrastructure, and some senior-level employees often have full access to a company’s security systems. It’s similar to having a multi-door secured vault and giving one of the bank managers a skeleton key to open them. If this skeleton key (or employee’s credentials) is phished from the manager’s pocket by a threat actor via a compelling email or a malware-ridden link, this can put an entire company in danger.  

It’s not just about losing assets or data either. Travelex, a predominantly online currency exchange business went out of business following crippling ransom attack, thought to originate is a successful phishing email.

To avoid becoming another example of how potent social engineering can be, it is essential not to trust a single employee with full system access. Anyone can be spear-phished, and everyone makes mistakes.

VIPs are not always VAPs

While CEOs, VPs, and other employees holding influence or administrative credentials may all be tempting phishing targets, they are not always “VAPs” (Very Attacked People). Staff members who do not hold managerial positions receive substantially more malware and credential phishing attempts than their seniors. Hence, it is dangerous to assume that the company’s VIPs are the only targets prized by cyber criminals. Cybersecurity should be the responsibility of everyone in the organization, and employees of all levels should be educated on how to spot, avoid and report cyber and phishing threats.

The Web Is Ripe With Information For Phishing

People seldom think about what information they put out about themselves online. Like a magnifying glass into someone’s personal life, social media can reveal a person’s hobbies and interests, or even their traveling habits and trips abroad with exact dates and locations. This information can help a phisher write compelling scam emails to their victims or even make it easier to impersonate someone they know.

Engaging in social media is anyone’s freedom of choice and, most times, completely unrelated to a person’s workplace responsibilities. Hence organizations and companies can’t account for their employees’ online actions outside of their work environment.What makes the situation worse is that social engineers may not necessarily need direct access to someone’s social media profile for said information. There exist databases with billions of personal data records from websites like Facebook, Twitter, LinkedIn, and Github. These profiles have been leaked and compiled over the years, so the number of possible attack vectors is too great to consider.

The only thing organizations can do is adopt a holistic approach to their security infrastructure and treat every single company’s employee as a potential point of breach.

An Individual / Collective Approach To Cyber Security

The age of social engineering is calling for a change in how we approach cybersecurity. Protection that technology offers is not enough - phishing, spear phishing, and BECs prey on people’s emotions and susceptibility to authority. Every employee, be it a senior, mid or junior, comprises an organization as a whole, and threat actors can target any one of them.

The best strategy to tackle the social engineering craze is to identify and prevent every possible point of a breach in a company’s security system. This means considering every employee as a potential cyber attack target and taking preventive measures like MFA (multi-factor authentication), training, incentivizing, and education. Only this way will we be able to protect organizations from being compromised by the human factor.

Vytautas Kaziukonis is the founder and the CEO of Surfshark, a privacy protection toolset developed to provide its users with an ability to enhance their online security seamlessly.The core premise of Surfshark is to humanize online privacy protection and develop tools that protect users’ privacy beyond the realm of a virtual private network (VPN).

Image: Unsplash

You Might Also Read:                                                                                 

Top Cybersecurity Threats & Solutions To Empower Every Business: