Would it surprise you to know that cybercriminals aggressively target individuals over corporate infrastructures in their attacks? This is because it is easier and ultimately more profitable for hackers to target unsuspecting people. Threat actors target people in a myriad of ways in hopes of stealing credentials or uploading malicious apps into business networks to obtain a solid payday or gain access to sensitive data. According to research done by Proofpoint, a leading cybersecurity and compliance company, more than 99% of the attacks observed required human interaction to succeed.
With that simple fact, how can your organization prevent its employees from releasing confidential and critical information? The reality is, we all make mistakes, and cybercriminals know it. These threat actors rely on poor security habits to carry out their sophisticated attacks. Let's take a look at the five most common ways employees can compromise security, as well as the cybersecurity best practices to prevent them.
The habit of using the same password on multiple websites creates a risk for any end-user. This is a cybersecurity best practice that is often ignored.
- Risk: Likely, your corporate network requires strong passwords, including your software-as-a-service (SaaS) based applications. Suppose a user duplicates their corporate password on multiple personal sites, including social platforms. In that case, a cybercriminal could spoof their identity and make it simpler to obtain access to even more sensitive data.
- Solution: Don't reuse passwords. And specifically, do not use similar passwords across business and personal accounts. If the hackers compromise one password, they will be able to access multiple accounts. Seriously, consider the powerful Multi-Factor Authentication and Single Sign-On or a combination of both for ultimate password security.
Using Free Wi-Fi Hotspots for Sensitive Work
Free Wi-Fi hotspots may be great for streaming music or movies, but be careful not to use them for online banking or unsecured connections to corporate applications.
- Risk: Cybercriminals can easily hijack unsecured or poorly secured Wi-Fi router connections generally found in public areas, like a popular café. The attacker may be in physical proximity of the free Wi-Fi hotspot and scan the routers looking for vulnerabilities, like a weak password. Once the criminal has access to a connection, they can capture the victim's transmitted data, such as login credentials, banking information, and more. This attack is known as a "Man-in-the-Middle" exploit.
- Solution: If you have no option to connect to a secure Wi-Fi connection, limit your online activity to basic browsing. If you plan to do work or access sensitive online accounts, turn off your Wi-Fi and use the cellular connection. You can also subscribe to a virtual private network (VPN) service which creates a secure connection to the internet.
The prevalence of phishing emails is steadily increasing among business employees. A basic phishing attack attempts to trick a user into entering personal and confidential information, often targeting employees deep within an organization. According to one Verizon Data Breach Report, 1 in 14 users fall victim to phishing attempts which is the number one cause of data breaches.
- Risk: Suppose an employee receives an email that appears to be from the CEO requesting some form of urgent electronic payment. Due to established trust between employees, the victim follows through with the request, resulting in a big pay day for the cybercriminal. This trend is referred to as "CEO Fraud," or Business Email Compromise (BEC), and according to the FBI, BEC attack losses totaled more than $1.7 billion in 2019 alone.
- Solution: Adopt a cybersecurity approach that includes security awareness training coupled with regular simulated phishing emails. Training instills good security habits and has staff questioning suspicious emails.
Social Media Exposure
Social media can be a valuable tool for your business and employees to interact with customers and prospects alike. The word-of-mouth advertising that social media platforms provide is a game-changer for so many companies. However, the unintended consequence is cybercriminals now have access to more personal information about your employees that they can use in targeted phishing campaigns.
- Risk: Cybercriminals are social media users too! They are patient and very persistent when a target is in mind. As they scour the internet for information that can provide them access to an organization, social media can enable them to craft persuasive emails to organizational colleagues who might let their guard down.
- Solution: Have a Social Media policy in place that outlines best practices in relation to social media website usage. It conveys guidelines for personal social media use in the office, develop security protocols around password, file sharing, intent, and other. Also, implement security awareness training to help your employees be aware of the latest social media scams.
One of the lesser-known cyberattacks is a website infection known as a drive-by download attack. These attacks can happen with or without your consent and can exist on legitimate websites. The malicious download can occur by clicking on a malicious advertisement masked as a trusted source or simply visiting a compromised web page that searches for security gaps on your device then installs the malware.
- Risk: Due to the lack of human involvement needed to enable the attack, drive-by downloads can be harder to prevent. They target systems with unpatched security holes or outdated operating systems. The impact is much the same as the outcome of clicking on a phishing email.
- Solution: While there are many recommendations to defend against drive-by attacks, the most critical prevention method is to keep all your organization's systems up-to-date. This includes patching to stay on top of the latest security updates. Drive-by exploits often use application vulnerabilities that have not been patched to download malware without detection.
Employees are a critical line of defense. Cybercriminals will continue to target your employees due to the success rate. Does your staff need to become more educated about the latest cybercriminal techniques? An educated employee is a secure employee. Arm your staff with the training they need to spot phishing emails, identity deception tactics, and other advanced attacks. Please fill out the form below to contact us about Security Awareness Training for your organization.