Despite familiarity with bigger attack surfaces and less-secure perimeters, threat awareness and deterrence require continuing and constant vigilance.
Wednesday, November 22, 2023
By Dimitri Shelest
The increase in remote and hybrid work since the COVID-19 pandemic has revolutionized the way that companies operate. It has also introduced a new array of cybersecurity threats. There are more weak points for bad actors to target than ever before.
They also have more ammunition. The internet is awash in personal data that they can use to make their scams more credible to isolated employees working outside the perimeters of corporate security. Companies must adapt to this changing threat matrix by securing the expanded perimeters, educating and empowering employees, and taking ammunition in the form of data out of the hands of criminals.
The main focus should be on people. They are the weakest link in any cybersecurity effort. They make mistakes, don’t always comply with security procedures, and can fall prey to carefully calculated scams.
According to a 2021 survey of 500 IT leaders and 3,000 employees, 84% of data breaches with a business impact resulted from an employee’s mistake. Almost three out of four organizations said breaches were caused by employees breaking security rules.
As attackers are targeting people, almost all cyberattacks contain an element of social engineering – the theft and use of data to manipulate and trick people.
OneRep’s Dimitri Shelest: “Use all the tools.”
Inside the office, companies can mitigate risks with physical security in the form of firewalls, enterprise-grade routers and modems, and threat-detection software. They can control what systems people use to work and communicate, and tightly control access to those systems. They can provide in-person training, conduct tests and monitor compliance.
Even so, the same study shows that 73% of organizations have suffered serious breaches from phishing attacks.
Data is the fuel for these attacks, and the personal information available online nearly doubles every year.All this data is collected legally by companies, and often sold to data brokers who in turn sell it to people-search sites. There are many legitimate uses for this data, but bad actors are also using it to make their attacks more personalized and effective.
Email Compromise and Harassment
The majority of workplace phishing attacks are business email compromise (BEC) schemes impersonating executives or vendors in order to get money. Cybercriminals can also phish for confidential information and credentials for company systems to plant ransomware.
They may also seek to harass employees with spam and robocalls, interrupting their productivity and potentially causing them to miss an important call from a customer or prospect. In some cases, they may even threaten employees and their families.
New collaboration and productivity tools geared towards remote work created new vulnerabilities. These applications often have minimal security settings which are sometimes reset when the vendor does a software update. Desktop tools used to access work computers from a remote setting also make it easier for cybercriminals to access a company’s network.
Employees engaging in personal communications on work devices and performing work tasks on personal devices can expose the company to existing malware or viruses that they may not even realize are already on their personal devices.
Isolation also plays a critical role in aiding fraudsters. Employees don’t have co-workers in their immediate vicinity to confer with if they think a communication looks suspicious. They may have a harder time immediately getting in touch with security or IT personnel. They also may not be as aware of changes to security rules or as engaged with security training – if they’re getting trained at all.
Companies can protect their employees and themselves by utilizing a combination of security measures. Identity and access management solutions like multi-factor authentication (MFA) and single sign-on (SSO) add an additional layer of protection for company systems and resources. IT can also make sure the latest updates and patches are applied to the software applications that remote workers use on a regular basis. Setting them up with a virtual private network (VPN) also bolsters security.
All employees should receive regular training on recognizing threats and security-hygiene best practices. It’s also important to ensure employees know how to report threats or mistakes and feel comfortable doing so. Delays in reporting an attack or breach can allow contagion to spread quickly.
Controlling People Search
Companies can help employees remove the fuel for phishing attacks by enrolling them in a data privacy service that removes personal data from people-search sites. My company, OneRep, which provides such a service, finds that the average individual has data profiles on 46 of these sites. In the era of big data, these profiles have become quite robust, with much more data than just name, address and phone number.
While people-search sites are legally required to remove data records upon request, it can be a Sisyphean, time-consuming task to request removal from so many sites. And our internal data shows that much of this information ends up right back on these sites within just a few months.
One click on a bad link can cause a huge amount of damage to an organization. The core tenets of cybersecurity are to protect people, environment and technology. The changing nature of where and how we work has created a much larger attack surface across all three.
Companies must use all the tools at their disposal to secure their data, networks, systems and devices wherever employees use them. They must keep employees informed and engaged with the security effort and empower them to act. And they must deprive would-be attackers of one of their key weapons – personal data – by helping employees keep their data private.