Every Employee Should Be Considered A Target

The year 2020 has shaken the foundations of our personal and working lives and left us scratching our heads, begging a single question: just how vulnerable are we in this newly emerging world order?  COVID-19 was quick to answer that - it tested many of our defenses, and, quite frankly, we barely scraped a passing grade.  By Vytautas Kaziukonis

The recent pandemic has not only exposed our fears and anxieties but also unraveled many holes in our workplace cybersecurity systems. What’s worse is that our cyber security  issues and increased emotional susceptibility have paved the way for phishing and BEC’s (Business Email Compromise) to flourish in a time of distress and social isolation.

Spear phishing (or targeted phishing) attacks were the most prevalent and successful social engineering forms in 2020. They allowed cyber criminals to tailor scams for individual employees and leverage the stress and uncertainty of COVID-19 by using their personal data. 

From what we see so far, cyber crime is evolving faster than most organizations can keep up. To combat social engineering, companies should begin treating every employee as a cyber attack target. Here’s why.

A Single Employee’s Credentials Can Cost An Entire Company

Many organizations pool vast amounts of resources to build and maintain their cyber security infrastructure, and some senior-level employees often have full access to a company’s security systems. It’s similar to having a multi-door secured vault and giving one of the bank managers a skeleton key to open them. If this skeleton key (or employee’s credentials) is phished from the manager’s pocket by a threat actor via a compelling email or a malware-ridden link, this can put an entire company in danger.  

It’s not just about losing assets or data either. Travelex, a predominantly online currency exchange business went out of business following crippling ransom attack, thought to originate is a successful phishing email.

To avoid becoming another example of how potent social engineering can be, it is essential not to trust a single employee with full system access. Anyone can be spear-phished, and everyone makes mistakes.

VIPs are not always VAPs

While CEOs, VPs, and other employees holding influence or administrative credentials may all be tempting phishing targets, they are not always “VAPs” (Very Attacked People). Staff members who do not hold managerial positions receive substantially more malware and credential phishing attempts than their seniors. Hence, it is dangerous to assume that the company’s VIPs are the only targets prized by cyber criminals. Cybersecurity should be the responsibility of everyone in the organization, and employees of all levels should be educated on how to spot, avoid and report cyber and phishing threats.

The Web Is Ripe With Information For Phishing

People seldom think about what information they put out about themselves online. Like a magnifying glass into someone’s personal life, social media can reveal a person’s hobbies and interests, or even their traveling habits and trips abroad with exact dates and locations. This information can help a phisher write compelling scam emails to their victims or even make it easier to impersonate someone they know.

Engaging in social media is anyone’s freedom of choice and, most times, completely unrelated to a person’s workplace responsibilities. Hence organizations and companies can’t account for their employees’ online actions outside of their work environment.What makes the situation worse is that social engineers may not necessarily need direct access to someone’s social media profile for said information. There exist databases with billions of personal data records from websites like Facebook, Twitter, LinkedIn, and Github. These profiles have been leaked and compiled over the years, so the number of possible attack vectors is too great to consider.

The only thing organizations can do is adopt a holistic approach to their security infrastructure and treat every single company’s employee as a potential point of breach.

An Individual / Collective Approach To Cyber Security

The age of social engineering is calling for a change in how we approach cybersecurity. Protection that technology offers is not enough - phishing, spear phishing, and BECs prey on people’s emotions and susceptibility to authority. Every employee, be it a senior, mid or junior, comprises an organization as a whole, and threat actors can target any one of them.

The best strategy to tackle the social engineering craze is to identify and prevent every possible point of a breach in a company’s security system. This means considering every employee as a potential cyber attack target and taking preventive measures like MFA (multi-factor authentication), training, incentivizing, and education. Only this way will we be able to protect organizations from being compromised by the human factor.

Vytautas Kaziukonis is the founder and the CEO of Surfshark, a privacy protection toolset developed to provide its users with an ability to enhance their online security seamlessly.The core premise of Surfshark is to humanize online privacy protection and develop tools that protect users’ privacy beyond the realm of a virtual private network (VPN).

Image: Unsplash

You Might Also Read:                                                                                 

Top Cybersecurity Threats & Solutions To Empower Every Business:                  

 

« Cyber Security Insights For Executives
Friends Reunite As Facebook & Australia Make Up »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Protective Intelligence

Protective Intelligence

Protective Intelligence brings together a group of information security specialists with a passion for delivering high-quality solutions.

HUB International

HUB International

HUB is one of the largest insurance brokers in the world. HUB Risk Services provides the full range of expert consulting to identify risks, reduce exposure to loss and manage claims issues.

Zymr

Zymr

Zymr specialize in cloud computing solutions including Cloud Security, Cloud Mobility, Cloud Apps, Cloud Infrastructure and Cloud Orchestration.

Proact IT Group

Proact IT Group

Proact is Europe's leading independent data centre and Cloud services enabler. We deliver flexible, accessible and secure IT solutions and services.

Independent Security Evaluators (ISE)

Independent Security Evaluators (ISE)

ISE is an independent security consulting firm headquartered in Baltimore, Maryland dedicated to securing high value assets for global enterprises and performing groundbreaking security research.

CyberTech Network

CyberTech Network

CyberTECH is a global cybersecurity, Internet of Things (IoT) and Smart City network ecosystem and incubator operator.

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

SEEDS conducts research and develops innovative cybersecurity technologies, tools, and methodologies that advance the energy sector’s ability to survive cyber incidents.

Appsec Phoenix

Appsec Phoenix

Appsec Phoenix is an end to end vulnerability management platform that focuses on workflows, threat feed, and real time data.

TopSOC Information Security

TopSOC Information Security

TopSOC Information Security provide a wide range of security consultation, implementation and training services.

Trusted Cyber Solutions

Trusted Cyber Solutions

Trusted Cyber Solutions is an independent Cyber Security and Risk Management consultancy.

ExchangeDefender

ExchangeDefender

ExchangeDefender provides cybersecurity services that secures your company email and data, and guarantees 24/7 email access.

Sidcon International Consulting Company

Sidcon International Consulting Company

SIDCON International Consulting Company has been providing consulting services since 2002 for private and public organizations in Ukraine and other countries.

Orbis Cyber Security

Orbis Cyber Security

Orbis is one of the leading cybersecurity company in USA. Our cybersecurity specialist defends your data, combat threat, and modernize your compliance.

MARS Suite

MARS Suite

MARS Suite is your all-in-one solution for cyber protection & compliance. Cybersecurity and risk management is what we do best. And we’re making it simple and easy.

Universal Technical Resource Services (UTRS)

Universal Technical Resource Services (UTRS)

UTRS is a technology firm that delivers a wide range of engineering, technical, strategic, and digital services to the public and private sectors.

Amiseq

Amiseq

Amiseq – Your Tech Partner delivers transformational IT Consulting Services enabling customers achieve a competitive edge.