Employees are every organization’s best defense against cyberthreats. They are also every firm’s greatest source of risk.
However, not every worker poses equal risk. About 8% of employees cause 80% of the incidents, according to a Cyentia Institute report that uses the data from Elevate Security, a Mimecast company.
“There is a subset of employees who are generally more cybersecurity aware and there are certain individuals who just don’t have the same kind of security common sense,” says Masha Sedova, vice president of human risk strategy at Mimecast.
In addition, not every employee is attacked at the same frequency. Certain employees are targeted more frequently, either because of their role or their access to proprietary information, Sedova says.
Consider these stats that Sedova shared at a conference earlier this year:
- Nearly twice as many managers are targeted by phishing than individual contributors.
- Managers receive more than twice as many phishing emails than individual contributors.
- Tenured employees get phished more frequently than new hires.
Knowing which employees are more likely to be targeted for a cyberattack and which are more likely to cause an incident can change how companies approach cybersecurity, Sedova says.
Human Error Is Often To Blame
Companies have been spending millions of dollars on technology without taking into account the human factor, which is the top reason breaches succeed, Sedova says.
The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a non-malicious human element, such as a person falling victim to a social engineering attack or making an error. “If we do not understand the human element, all of our technology will not be used to the maximum capacity,” she says.
Employees need to be able to identify when they are being attacked. As an attack progresses, they need to know how to spot signs that an attack is underway and communicate with their organization’s security team, Sedova says.
Many employees are cautious about clicking on links. However, most workers are less aware of new phishing techniques that are harder to detect because artificial intelligence has made them more sophisticated. “It’s easier to make them personalized, more timely, more relevant and with better grammar,” Sedova says.
Here are four formidable cyberattacks that organizations should help their employees guard against.
1. Quishing
Instead of enticing employees to click on a link, attackers are using QR codes to redirect employees to malicious websites or prompt them to download harmful content.
“We see about 47,000 detections of this kind of attack a day,” Sedova says.
2. Spearfishing
Rather than targeting anyone with a bank account, a spearfishing attack is aimed at an individual with access to specific proprietary information, such as a set of engineering documents or financial wire transfer information.
AI has made this type of attack harder to detect because perpetrators can generate targeted spearphishing attacks for individuals using their LinkedIn profiles, Sedova says. Senior engineer leaders, employees in accounting and chief financial officers are often targets.
3. Pretexting
A pretexting attack persuades an employee to do something on the attacker’s behalf, such as send a wire transfer or grant access to a file, Sedova says. In a major cyberattack last year, perpetrators impersonated an employee during a help desk call to obtain valid credentials to access and infect systems. The hackers used information found on the employee’s LinkedIn profile to pull off the ruse.
Pretexting is on the rise across industries. Phishing and pretexting by email accounted for 73% of incidents in the social engineering sector, according to the Verizon report.
4. Deep Fakes
These attacks are more common in companies with call centers or a customer support function that uses voice and speech as an authentication method, Sedova says. Earlier this year, a finance worker at a multinational firm was tricked into releasing $25 million when attackers used deepfake technology to pose as the company’s chief financial officer in a videoconference call.
Tailor Training To Individual Risk Level
In addition to helping employees guard against an array of phishing techniques, security teams should focus on better protecting workers who are more susceptible to falling for an attack, as well as employees who are attacked more frequently, Sedova says. To assist security teams in educating and protecting workers, Mimecast recently introduced its Human Risk Management platform.
The platform aggregates data with security tools to determine which employees are making risky security decisions and who’s under attack more frequently, Sedova says. Much like how a creditor gives each customer a credit score, the platform gives each employee a security score, allowing security teams to provide training and security controls that are tailored to each employee’s risk level.
If the security team can reduce cyber incidents by engaging 8% of the most vulnerable employees, then the company will quickly see a return on investment, Sedova says.
“You can maximize your team’s focus, input and resources, and truly reduce the number of risks,” she says.
