Every Employee Should Be Considered A Target

Uploaded on 2021-02-22 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW

The year 2020 has shaken the foundations of our personal and working lives and left us scratching our heads, begging a single question: just how vulnerable are we in this newly emerging world order?  COVID-19 was quick to answer that - it tested many of our defenses, and, quite frankly, we barely scraped a passing grade.  By Vytautas Kaziukonis

The recent pandemic has not only exposed our fears and anxieties but also unraveled many holes in our workplace cybersecurity systems. What’s worse is that our cyber security  issues and increased emotional susceptibility have paved the way for phishing and BEC’s (Business Email Compromise) to flourish in a time of distress and social isolation.

Spear phishing (or targeted phishing) attacks were the most prevalent and successful social engineering forms in 2020. They allowed cyber criminals to tailor scams for individual employees and leverage the stress and uncertainty of COVID-19 by using their personal data. 

From what we see so far, cyber crime is evolving faster than most organizations can keep up. To combat social engineering, companies should begin treating every employee as a cyber attack target. Here’s why.

A Single Employee’s Credentials Can Cost An Entire Company

Many organizations pool vast amounts of resources to build and maintain their cyber security infrastructure, and some senior-level employees often have full access to a company’s security systems. It’s similar to having a multi-door secured vault and giving one of the bank managers a skeleton key to open them. If this skeleton key (or employee’s credentials) is phished from the manager’s pocket by a threat actor via a compelling email or a malware-ridden link, this can put an entire company in danger.  

It’s not just about losing assets or data either. Travelex, a predominantly online currency exchange business went out of business following crippling ransom attack, thought to originate is a successful phishing email.

To avoid becoming another example of how potent social engineering can be, it is essential not to trust a single employee with full system access. Anyone can be spear-phished, and everyone makes mistakes.

VIPs are not always VAPs

While CEOs, VPs, and other employees holding influence or administrative credentials may all be tempting phishing targets, they are not always “VAPs” (Very Attacked People). Staff members who do not hold managerial positions receive substantially more malware and credential phishing attempts than their seniors. Hence, it is dangerous to assume that the company’s VIPs are the only targets prized by cyber criminals. Cybersecurity should be the responsibility of everyone in the organization, and employees of all levels should be educated on how to spot, avoid and report cyber and phishing threats.

The Web Is Ripe With Information For Phishing

People seldom think about what information they put out about themselves online. Like a magnifying glass into someone’s personal life, social media can reveal a person’s hobbies and interests, or even their traveling habits and trips abroad with exact dates and locations. This information can help a phisher write compelling scam emails to their victims or even make it easier to impersonate someone they know.

Engaging in social media is anyone’s freedom of choice and, most times, completely unrelated to a person’s workplace responsibilities. Hence organizations and companies can’t account for their employees’ online actions outside of their work environment.What makes the situation worse is that social engineers may not necessarily need direct access to someone’s social media profile for said information. There exist databases with billions of personal data records from websites like Facebook, Twitter, LinkedIn, and Github. These profiles have been leaked and compiled over the years, so the number of possible attack vectors is too great to consider.

The only thing organizations can do is adopt a holistic approach to their security infrastructure and treat every single company’s employee as a potential point of breach.

An Individual / Collective Approach To Cyber Security

The age of social engineering is calling for a change in how we approach cybersecurity. Protection that technology offers is not enough - phishing, spear phishing, and BECs prey on people’s emotions and susceptibility to authority. Every employee, be it a senior, mid or junior, comprises an organization as a whole, and threat actors can target any one of them.

The best strategy to tackle the social engineering craze is to identify and prevent every possible point of a breach in a company’s security system. This means considering every employee as a potential cyber attack target and taking preventive measures like MFA (multi-factor authentication), training, incentivizing, and education. Only this way will we be able to protect organizations from being compromised by the human factor.

Vytautas Kaziukonis is the founder and the CEO of Surfshark, a privacy protection toolset developed to provide its users with an ability to enhance their online security seamlessly.The core premise of Surfshark is to humanize online privacy protection and develop tools that protect users’ privacy beyond the realm of a virtual private network (VPN).

Image: Unsplash

You Might Also Read:                                                                                 

Top Cybersecurity Threats & Solutions To Empower Every Business:                  

 

« Cyber Security Insights For Executives
Friends Reunite As Facebook & Australia Make Up »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Aurec

Aurec

Aurec provides specialist recruitment and contracting services including ICT professionals.

aizoOn Technology Consulting

aizoOn Technology Consulting

aizoOn is a technology consulting company offering a range of services including IoT & embedded security, mobile security, cybersecurity assessments, risk & compliance, network monitoring and more.

Mellanox Technologies

Mellanox Technologies

Mellanox Technologies is a leading supplier of end-to-end Ethernet and InfiniBand intelligent interconnect solutions and services for servers, storage, and hyper-converged infrastructure.

Firebrand

Firebrand

Firebrand is the leader in Accelerated Learning in the field of IT and project management.

Cryptus Cyber Security

Cryptus Cyber Security

Cryptus Cyber Security is an Information Security Training company providing advanced training and services to IT Professionals.

Yokogawa Electric

Yokogawa Electric

Yokogawa is an electrical engineering company providing measurement, control, and information technologies including industrial cyber security.

National Digital Exploitation Centre (NDEC) - United Kingdom

National Digital Exploitation Centre (NDEC) - United Kingdom

NDEC is a project to create a centre of cyber and digital development and education for the UK. It will offer training in digital practices, cyber security and research.

Syskode Technologies

Syskode Technologies

Sykode Technologies is a next-generation global technology company offering an integrated portfolio of advisory services, products and solutions in areas including AI, IoT and Cyber Security.

ZEBOX

ZEBOX

ZEBOX is an international incubator & accelerator of innovative startups. Focus is on Transport/Logistics and Industry X.0 including technologies such as AI, Blockchain and Cybersecurity.

KeyData Associates

KeyData Associates

KeyData is a recognized leader in cybersecurity services specializing in Identity and Access Management (IAM), Customer Identity & Access Management (CIAM) and Privileged Access Management (PAM).

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

AWS Marketplace eBook: Optimizing your cloud deployments to accelerate cloud activities, reduce costs, and improve customer experience.

Schneider Downs

Schneider Downs

Schneider Downs & Co. provides accounting, tax and business advisory services through innovative thought leaders who deliver their expertise to meet the individual needs of each client.

AnzenSage

AnzenSage

AnzenSage is a cybersecurity advisory consultancy specializing in security risk resilience for the food sector: agriculture, food manufacturing, food supply chain, vineyards, and wineries.

GO Business

GO Business

GO Business are a specialised B2B team within GO that caters to the communication needs of the local business community in Malta.

Kusari

Kusari

Securing your software supply chain starts with understanding. Kusari is on a mission to bring transparency to your software supply chain and power secure development.

BCX

BCX

BCX, a subsidiary within Telkom Group, is one of Africa’s largest systems integrator and digital transformation partners for enterprises and public sector organisations.