It may come as a surprise that cybercriminals prefer to target individual end-users rather than complicated, corporate infrastructures in their cyber attacks. It's easier for hackers to prey on unsuspecting individuals than it is to create expensive, time-consuming business network exploits. Below we will outline five common types of cyberattacks targeting end-users, the risks they pose to organizations, and the suggested data breach prevention steps needed to reduce the threats.
According to research done by Verizon in their 2021 Data Breach Investigations Report, 85% of breaches involved human interaction to succeed, such as clicking a link, opening a malicious document, or running a macro file. This means that threat actors often need our help to carry out their sophisticated attacks and they heavily rely on the individual's poor security habits.
Data Breach Prevention: Common Threats
Below are five different types of cyberattacks you'd likely encounter throughout any given day of the week. Each scenario outlines how a hacker might attempt to initiate a cyberattack through everyday end-user activities, along with some suggested data breach prevention steps. Click on each for detailed information:
1. Password Attack
It is well known that the use of simple or common passwords is a risky security practice, but so is the habit of using the same password across multiple websites. The cybersecurity best practice is to assign strong, unique passwords for each system and application used. This practice is often ignored because it can be difficult for end-users to remember multiple and complex passwords.
- Risk: Many corporate networks require strong passwords, including your software-as-a-service (SaaS) based applications. Suppose an employee duplicates their corporate password on multiple (and potentially less secure) personal sites such as social media platforms, email, or e-commerce sites. A cybercriminal could spoof their personal identity, making it simpler to obtain access to sensitive corporate data.
- Solution: Don't reuse passwords. And specifically, don't use similar passwords across business and personal accounts. If a hacker compromises one password, they will use it to access multiple accounts. In addition, implement Multi-Factor Authentication (MFA) to your business and even personal accounts. You can also add Single Sign-On (SSO) across corporate accounts to remove the burden of remembering multiple complex passwords. Implementing a combination of both MFA and SSO will provide the ultimate password security.
2. Using Unsecure Hotspots for Sensitive Work
Unsecure Wi-Fi hotspots may be great for streaming music or movies at your local coffee shop, but be careful not to use them for online banking, connecting to corporate applications, or even social media. If you are not required to enter a password, agree to legal terms, or register an account, you are most likely using an unsecured Wi-Fi connection.
- Risk: Cybercriminals can easily hijack unsecured or poorly secured Wi-Fi router connections found in public areas, like cafés and bookstores. The attacker may be in physical proximity of the Wi-Fi hotspot and can scan the unsecured routers looking for vulnerabilities, like weak passwords. Once the hacker has access to a connection, they can capture the victim's unencrypted data sent over the internet, such as login credentials, banking information, and more. This attack is known as a "Man-in-the-Middle" exploit.
- Solution: If you don't have access to a secure Wi-Fi connection, limit your online activity to basic browsing that doesn't require a password or accessing personal information. If you plan to conduct company-related business or access sensitive online accounts, including social media, turn off Wi-Fi and use your cellular service. This will establish a connection through your network carrier/ mobile provider (i.e. Verizon, AT&T, etc.) encrypting your transferred data and using cell towers rather than a public Wi-Fi network. Better yet, your organization can provide a virtual private network (VPN), coupled with MFA to protect your login credentials when working remotely which creates a secure connection to your network and internet.
3. Trusting Emails
The prevalence of phishing emails involving data breaches has steadily increased to 36%, up 11% in just one year, making them the most common type of attack. In a basic phishing attack, hackers will send out mass emails from a trusted entity (i.e. Amazon, U.S. Postal Service, company vendor, etc.) attempting to trick users into entering personal and confidential information. It is also common for businesses to receive "spear-phishing" emails that target specific, high-value employees deep within an organization (President, CEO, CFO, etc.).
- Risk: Suppose an employee receives an email that appears to be from the CEO requesting some form of urgent electronic payment. Due to established trust within the organization, the employee most likely follows through with the request, resulting in a big payday for the cybercriminal. This trend is referred to as "CEO Fraud," or Business Email Compromise (BEC). According to the latest FBI Internet Crime Report, victims of BEC scams suffered the largest percentage of all losses (37%), totaling over $1.8 billion in 2020 alone.
- Solution: Adopt a cybersecurity approach that includes security awareness training coupled with regular simulated phishing emails. Training instills good security habits and conditions staff to question suspicious emails.
4. Social Media Exposure
Social media can be a valuable tool for your business and employees to interact with customers and prospects alike. The networking, marketing, event advertising, and HR exposure that social media platforms provide is a game-changer for so many companies. But cybercriminals are social media users too! The unintended consequence of using social media is the easy access hackers now have to more personal information about employees. This creates a backdoor to enterprise systems and a blindspot in your security defenses.
- Risk: Hackers use social media in the reconnaissance phase of an attack to collect background information needed to impersonate trusted people and brands that can be used in targeted (spear)phishing campaigns. Hackers know they can manipulate employees through persuasive emails and trusted connections, making employees the weakest link in your security.
- Solution: Have a Social Media policy in place that outlines best practices in relation to social media website usage. It conveys guidelines for personal social media use in the office, develops security protocols around passwords, file sharing, intent, etc. Also, implement security awareness training to help your employees be aware of the latest social media scams.
5. Website Infections
A lesser-known, yet harder to prevent cyberattack is a website infection known as a "drive-by download attack".They are malicious trojans masked to look like a trusted advertisement or security update and can exist on legitimate websites. Simply visiting a compromised webpage where a hacker attached a malicious component allows the bug to search for security gaps on your device, then install the malware. Your computer or mobile device will become infected, without any knowledge of the malicious code. Unlike other cyberattacks, the end-user doesn't necessarily have to click, download, or open anything to actively enable the attack. A drive-by download will take advantage of applications, operating systems, or web browsers that are unpatched, end-of-life (EOL), or contain security flaws.
- Risk: Due to the lack of human involvement needed to enable the attack, drive-by downloads can be very hard to prevent. They target systems with unpatched security holes or outdated operating systems. Hackers also target software and operating systems that are EOL and unsupported; no longer receiving security patches or bug fixes.
- Solution: The most critical prevention method for drive-by download attacks is to keep all your organization's systems up-to-date. You will want to ensure that patching stays current with the latest security updates. It is also a good practice to set up monitoring of your network that looks for suspicious traffic or activities and alerts you to a potential security threat that could be a result of a drive-by attack.
Cybercriminals will continue to target employees and end-users due to their extremely high data breach success rate. Now is the time to educate your end-users and staff about the latest cybercriminal techniques. A recent study has shown that with regular security awareness training in place, an organization can reduce cyber-risks by as much as 70%.
The Good News
The good news is when you educate and train staff to recognize the latest cybercriminal methods and couple that training with effective security tools, you can significantly reduce your chances of suffering a devastating data breach.
We recommend arming your staff with the training they need to spot phishing emails, identity deception tactics, and other advanced attacks. Data breach prevention starts with effective security awareness training and implementing multiple security defenses. Select the link below for more detailed information on security awareness training for your organization.
For information about security awareness training and how to improve your security posture, connect with us at firstname.lastname@example.org or call 888.624.6737. Customers, please reach out to your Account Manager.