Some companies may assume that external threats are the most important problem that they need to protect against when it comes to cyber security. However, Mcaffee found that 43 percent of data breaches were caused by internal actors. Of those, 21 percent came from unintentional actions by employees.
Why Employees Become Cyber Criminal Targets
Employees may not have the knowledge of common types of attacks used by cyber criminals. They could look out for the obvious ones, like malicious software attachments, but completely miss more subtle ways that cyber criminals use to break into a network.
The tech-savviness of employees varies between departments and individuals, since this skill set may not be expected for people outside of the IT team. Advanced persistent threats, which are sophisticated cyber attacks, will target employees that are in key positions or who represent particularly vulnerable areas of the organization.
Cyber Criminal Methods
The methods used by cyber criminals vary based on their intended goals, whether they’re specifically targeting your company, their hacking experience, their funding levels, and whether they’re simply opportunistic.
Phishing: Phishing uses email and other direct communication channels to try to trick an employee into clicking on a malware attachment contained in the message or going to a fraudulent link. The link takes the employee to a page that might look like a legitimate workplace resource, but it actually is set up to steal account information or other sensitive data.
Email spoofing is sometimes used alongside phishing methods. It spoofs the sender’s address so it looks like it came from someone in the organization or one of the external partners of the company.
Social Engineering: Social engineering takes many forms, from pretending to be a new employee in-person to positioning themselves as a manager or another person in a leadership position via email or other forms of communication.
The cyber criminal may try to get account information or physical access to equipment. The employee may assume that the hacker has a legitimate reason to access that part of the building.
Compromised Personal Devices: Companies with Bring Your Own Device policies may encounter employees who have compromised smartphones, laptops and tablets connecting to the business network. Those systems may lack adequate protection against cybercriminals and that puts your organization at risk.
Stolen Work Equipment: Work-issued devices, such as mobile phones and laptops, could get stolen. Accounts saved on that equipment may be used as part of a phishing attack or data breach.
Shared Usernames and Passwords: Employees may use the same usernames and passwords that they do on personal accounts, which could get compromised due to data breaches. If that combination gets added to a list of hacked accounts, the attackers could try that username and password for work systems.
Written Down Account Information: Some employees have a hard time remembering their account information, so they put it on post-it notes around the workstation. A cyber criminal who has physical access to the workplace via social engineering, or who finds pictures of the workplace posted on social network profiles, could get that information.
Vendor Logins: External partners, such as vendors, often have access to internal systems. While they aren’t employees of your company, they may be able to get to the same types of systems.
How Can Companies Protect Themselves Against These Cyberattack Methods
Cyber criminals will continue to target employees as long as they are vulnerable to these attack methods. Here are a few ways you can protect yourself and stop hackers from compromising internal actors.
Cyber Security Awareness Training: Making employees aware of common attack methods is one of the best ways to fight against cyber criminals. They’re on the front line of the attacks, so they need to know what to look for.
This training should be clear and easy to understand for employees at all levels of technical aptitude. You don’t need to give them a comprehensive cyber security course. They just need to know the information that’s most relevant to their positions.
Cyber security awareness training is not a one and done approach. You need to continually update this information so it accurately reflects the cyber security threats that are typical for your industry.
Audit Security: Audit your security measures to see how effective they are at blocking attacks that target your employees. New solutions may offer greater protection against internal attack vectors.
Checking on Third-Party Security Measures: How strong is the security at your third-party partners? Check-in with vendors, distributors, suppliers, service providers and other external partners to ensure that they don’t put your organization at risk.
User Account Restrictions: The principle of least privilege heavily restricts user accounts so they only have access to what they need and nothing more. By auditing user accounts and ensure that they aren’t able to use unauthorized resources, you can reduce the chances that a stolen or compromised user account leads to a major data breach.
Protecting your employees from cyber criminals requires a comprehensive approach that starts with proper training. You can have the best cyber security solutions in place, but it doesn’t matter if your front-line employees don’t know all about social engineering, phishing and other attacks.
For more information on our Cyber Security Awareness training for your organization, please see our Network Monitoring and Security Services, or give us a call at (832) 910-9222.