Every Employee Should Be Considered A Target

Uploaded on 2021-02-22 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

The year 2020 has shaken the foundations of our personal and working lives and left us scratching our heads, begging a single question: just how vulnerable are we in this newly emerging world order?  COVID-19 was quick to answer that - it tested many of our defenses, and, quite frankly, we barely scraped a passing grade.  By Vytautas Kaziukonis

The recent pandemic has not only exposed our fears and anxieties but also unraveled many holes in our workplace cybersecurity systems. What’s worse is that our cyber security  issues and increased emotional susceptibility have paved the way for phishing and BEC’s (Business Email Compromise) to flourish in a time of distress and social isolation.

Spear phishing (or targeted phishing) attacks were the most prevalent and successful social engineering forms in 2020. They allowed cyber criminals to tailor scams for individual employees and leverage the stress and uncertainty of COVID-19 by using their personal data. 

From what we see so far, cyber crime is evolving faster than most organizations can keep up. To combat social engineering, companies should begin treating every employee as a cyber attack target. Here’s why.

A Single Employee’s Credentials Can Cost An Entire Company

Many organizations pool vast amounts of resources to build and maintain their cyber security infrastructure, and some senior-level employees often have full access to a company’s security systems. It’s similar to having a multi-door secured vault and giving one of the bank managers a skeleton key to open them. If this skeleton key (or employee’s credentials) is phished from the manager’s pocket by a threat actor via a compelling email or a malware-ridden link, this can put an entire company in danger.  

It’s not just about losing assets or data either. Travelex, a predominantly online currency exchange business went out of business following crippling ransom attack, thought to originate is a successful phishing email.

To avoid becoming another example of how potent social engineering can be, it is essential not to trust a single employee with full system access. Anyone can be spear-phished, and everyone makes mistakes.

VIPs are not always VAPs

While CEOs, VPs, and other employees holding influence or administrative credentials may all be tempting phishing targets, they are not always “VAPs” (Very Attacked People). Staff members who do not hold managerial positions receive substantially more malware and credential phishing attempts than their seniors. Hence, it is dangerous to assume that the company’s VIPs are the only targets prized by cyber criminals. Cybersecurity should be the responsibility of everyone in the organization, and employees of all levels should be educated on how to spot, avoid and report cyber and phishing threats.

The Web Is Ripe With Information For Phishing

People seldom think about what information they put out about themselves online. Like a magnifying glass into someone’s personal life, social media can reveal a person’s hobbies and interests, or even their traveling habits and trips abroad with exact dates and locations. This information can help a phisher write compelling scam emails to their victims or even make it easier to impersonate someone they know.

Engaging in social media is anyone’s freedom of choice and, most times, completely unrelated to a person’s workplace responsibilities. Hence organizations and companies can’t account for their employees’ online actions outside of their work environment.What makes the situation worse is that social engineers may not necessarily need direct access to someone’s social media profile for said information. There exist databases with billions of personal data records from websites like Facebook, Twitter, LinkedIn, and Github. These profiles have been leaked and compiled over the years, so the number of possible attack vectors is too great to consider.

The only thing organizations can do is adopt a holistic approach to their security infrastructure and treat every single company’s employee as a potential point of breach.

An Individual / Collective Approach To Cyber Security

The age of social engineering is calling for a change in how we approach cybersecurity. Protection that technology offers is not enough - phishing, spear phishing, and BECs prey on people’s emotions and susceptibility to authority. Every employee, be it a senior, mid or junior, comprises an organization as a whole, and threat actors can target any one of them.

The best strategy to tackle the social engineering craze is to identify and prevent every possible point of a breach in a company’s security system. This means considering every employee as a potential cyber attack target and taking preventive measures like MFA (multi-factor authentication), training, incentivizing, and education. Only this way will we be able to protect organizations from being compromised by the human factor.

Vytautas Kaziukonis is the founder and the CEO of Surfshark, a privacy protection toolset developed to provide its users with an ability to enhance their online security seamlessly.The core premise of Surfshark is to humanize online privacy protection and develop tools that protect users’ privacy beyond the realm of a virtual private network (VPN).

Image: Unsplash

You Might Also Read:                                                                                 

Top Cybersecurity Threats & Solutions To Empower Every Business:                  

 

« Cyber Security Insights For Executives
Friends Reunite As Facebook & Australia Make Up »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Virtual Security

Virtual Security

Virtual Security provides solutions in the field of managed security services, network security, secure remote work, responsible internet, application security, encryption, BYOD and compliance.

AML Solutions

AML Solutions

AML Solutions offer a full range of Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) services.

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

T-ISAC Japan coordinates information sharing and activities related to ISP/telecommunications network security in Japan.

Silicom Denmark

Silicom Denmark

Silicom Denmark is a premier developer and supplier of FPGA-based interface cards for cyber-security, telecommss, financial trading and other sectors.

Komodo Consulting (KomodoSec)

Komodo Consulting (KomodoSec)

Komodo Consulting specializes in Penetration Testing and Red-Team Excercises, Cyber Threat Intelligence, Incident Response and Application Security.

Cyber Police of Ukraine

Cyber Police of Ukraine

Cyber Police of Ukraine is a law enforcement agency within the the Ministry of Internal Affairs of Ukraine dedicated to combating cyber crime.

GB Group (GBG)

GB Group (GBG)

GBG is a global technology specialist in fraud, location and identity data intelligence.

Quantum Armor

Quantum Armor

Quantum Armor is a next-gen cyber security monitoring platform that allows you to continuously stay aware of your security posture, and proactively spot trends, vulnerabilities and potential attacks.

Bittnet Training

Bittnet Training

Bittnet Training is the leader in the IT Training market in Romania. We develop the IT skills of IT professionals as well as those who wish to start a career in IT.

Secrutiny

Secrutiny

Scrutiny's core services include Cyber Maturity, Cyber Risk Analyser, Cyber Controls, Incident Response, SOC, Cyber Recovery and Assurance Testing.

Corona IT Solutions

Corona IT Solutions

At Corona IT Solutions, our team of specialists in networking, wireless and VoIP are dedicated to providing proactive monitoring and management of your IT systems.

VT Group (VTG)

VT Group (VTG)

VTG delivers force modernization and digital transformation solutions that expand America’s competitive advantage in the modern battlespace.

Edera

Edera

Edera is changing the way containers are run and secured, making isolation a reality and fundamentally transforming computing in the process.

Hunt & Hackett

Hunt & Hackett

Hunt & Hackett helps European companies prevent, detect and respond to today’s most advanced adversaries, safeguarding them against cyberthreats and espionage.

Black Alps

Black Alps

Black Alp's mission is to promote cybersecurity through the organization of dedicated events.

SafeShark

SafeShark

SafeShark are Product Security and Telecommunications Infrastructure (PTSI) Act and Radio Equipment Directive (RED) compliance specialists.