Published on December 21st, 2022 📆 | 8621 Views ⚑
0Employee Privacy And Cybersecurity: Spot The Difference
https://www.ispeech.org/text.to.speech
Rob Shavell is cofounder and CEO of DeleteMe and a vocal proponent of privacy legislation reform.
Whatâs going to keep cybercriminals from penetrating your organizationâs network in the next 12 months or even the next five years? Is it buying more technological solutions? Or maybe itâs achieving compliance with a framework like NIST? If this sounds close to your thinking right now, it might be time to zoom out.
Itâs true that thereâs a real rush to deploy solutions like endpoint detection and response (EDR) tools and multifactor authentication (MFA). Results of a survey by Cynet found that although just 52% of CISOs relied on EDR technology last year, this number is now 85%.
Make no mistake: These kinds of tech play an essential role in a typical companyâs security posture. However, technological solutions and audit frameworks arenât going to keep anyone safe in the long term. Threats will continue to evolve much faster than regulations or defensive technology can. Meanwhile, one attack vector will remain critically exposed, impossible to patch and constantly connectedâyour employees.
Human-Powered Cyber Risk Is Growing
In 2014, IBM researchers discovered that more than 95% of all security incidents involved human error. Verizonâs 2022 Data Breach Investigations Report tells us that little changed in the seven years that followed. In 2021, 82% of breaches had a human element to them.
The most common way companies are fighting back is through employee security training. In 2014, the security awareness training market was estimated to be worth around $1 billion. By 2027, itâs predicted to reach $10 billion.
Although more security education is never a bad thing, no organization should rely on it. Telling and showing employees the how and why behind initiatives like anti-phishing training exercises and best practices for password creation sounds like an impactful cybersecurity move. But in the real world, training people who arenât security pros to be cyber-aware doesnât work as it should. Training is passive. Attacks and attackers are anything but.
Research findings tell us that even after they receive training, employees still use easy-to-remember passwords. They also still fall for phishing scams.
Unlike employees who receive training once or twice a year, cybercriminals train all the time. Not only are they learning how to use a new generation of evasive malware (including almost undetectable âfilelessâ threats like Mimikatz and Cobalt Strike), but theyâre also spending more time figuring out how to get the people inside target organizations to give them network access in the first place.
Spear Phishing Is Getting âPointierâ
Look at the spam folder in your emails today, and youâll notice a lot of typical phishing emails with generic lures, bad spelling mistakes and suspicious sending addresses. These âpray and sprayâ attacks are aimed at millions of email addresses and are easy to spot. Much harder to see are the personalized phishing campaigns designed to trap you and only you.
These emails (or texts/calls) are more deceptive. They frequently reference the receiver by name and include personal details few people are likely to know. Powered by weaponized personally identifiable information (PII), these campaigns sneak through spam filters and get clicked on.
Itâs not difficult for threat actors to find the PII they need to make these phishing campaigns possible. Social media is a great resource. Data broker databases, which can contain a personâs entire life story, such as where they live and the names of their family members, are an even better one.
If you ever wondered how hackers figure out who to target at a company or how they know whether an employee was working from home (and should be contacted on their personal cell) or office (and should be contacted via the organizationâs phone number), data brokers are the answer. We know that cybercrime groups like the notorious ransomware gang Conti use data broker services to find spear phishing targets and figure out what contacts to âname dropâ within phishing scams.
But hackers are getting even more creative. Rather than targeting just the employees, they now also go after their families. In the recent attacks on Twilio and Cloudflare, cybercriminals got their hands on the phone numbers belonging to employees and their family members. The cybercriminals then sent them phishing texts.
Passwords Are Getting Weaker
Itâs not just hyper-personalized phishing campaigns companies need to be wary of. Hackers also use employee PII to break into accounts. In fact, credentials are one of the main paths cybercriminals take to gain network access.
This isnât surprising, considering that most passwords are comically easy to guess. Many people use PII like their birth date, childâs or spouseâs name, favorite color or sports team as their passwords/answers to security questions. Because this information is freely available through data brokers, bad actors can perform sophisticated dictionary attacks, writing scripts to brute force passwords with PII available online.
What You Can Do About PII-Fueled Cyberattacks
PII-based cyberattacks happen all the time. The ones we hear about are only the tip of a massive iceberg of risk. Most never become public knowledge. After all, no company wants to let its clients, customers or shareholders know that they were breached through such an obvious attack vector.
As a result, grasping the true scale of risk that employeesâ PII creates can be very difficult. We do know, however, that PII-fueled attacks arenât going away any time soon. We also know that the only way to reduce this growing risk is to limit how much employee PII is available on the surface web.
To protect this least-secured risk vector, companies need to get proactive about PII monitoring and removal. Having policies in place that prevent employees from using work emails for personal business and not mixing and matching personal and work-related devices are small steps companies can take to reduce employee PII on the web. This is one of the best ways to ensure that threat actors using these kinds of cyberattack techniques failâby making it hard for them to reach employees in the first place.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Gloss