Employee Privacy And Cybersecurity: Spot The Difference

Rob Shavell is cofounder and CEO of DeleteMe and a vocal proponent of privacy legislation reform.

What’s going to keep cybercriminals from penetrating your organization’s network in the next 12 months or even the next five years? Is it buying more technological solutions? Or maybe it’s achieving compliance with a framework like NIST? If this sounds close to your thinking right now, it might be time to zoom out.

It’s true that there’s a real rush to deploy solutions like endpoint detection and response (EDR) tools and multifactor authentication (MFA). Results of a survey by Cynet found that although just 52% of CISOs relied on EDR technology last year, this number is now 85%.

Make no mistake: These kinds of tech play an essential role in a typical company’s security posture. However, technological solutions and audit frameworks aren’t going to keep anyone safe in the long term. Threats will continue to evolve much faster than regulations or defensive technology can. Meanwhile, one attack vector will remain critically exposed, impossible to patch and constantly connected—your employees.

Human-Powered Cyber Risk Is Growing

In 2014, IBM researchers discovered that more than 95% of all security incidents involved human error. Verizon’s 2022 Data Breach Investigations Report tells us that little changed in the seven years that followed. In 2021, 82% of breaches had a human element to them.

The most common way companies are fighting back is through employee security training. In 2014, the security awareness training market was estimated to be worth around $1 billion. By 2027, it’s predicted to reach $10 billion.

Although more security education is never a bad thing, no organization should rely on it. Telling and showing employees the how and why behind initiatives like anti-phishing training exercises and best practices for password creation sounds like an impactful cybersecurity move. But in the real world, training people who aren’t security pros to be cyber-aware doesn’t work as it should. Training is passive. Attacks and attackers are anything but.

Research findings tell us that even after they receive training, employees still use easy-to-remember passwords. They also still fall for phishing scams.

Unlike employees who receive training once or twice a year, cybercriminals train all the time. Not only are they learning how to use a new generation of evasive malware (including almost undetectable “fileless” threats like Mimikatz and Cobalt Strike), but they’re also spending more time figuring out how to get the people inside target organizations to give them network access in the first place.

Spear Phishing Is Getting ‘Pointier’

Look at the spam folder in your emails today, and you’ll notice a lot of typical phishing emails with generic lures, bad spelling mistakes and suspicious sending addresses. These “pray and spray” attacks are aimed at millions of email addresses and are easy to spot. Much harder to see are the personalized phishing campaigns designed to trap you and only you.

These emails (or texts/calls) are more deceptive. They frequently reference the receiver by name and include personal details few people are likely to know. Powered by weaponized personally identifiable information (PII), these campaigns sneak through spam filters and get clicked on.

It’s not difficult for threat actors to find the PII they need to make these phishing campaigns possible. Social media is a great resource. Data broker databases, which can contain a person’s entire life story, such as where they live and the names of their family members, are an even better one.

If you ever wondered how hackers figure out who to target at a company or how they know whether an employee was working from home (and should be contacted on their personal cell) or office (and should be contacted via the organization’s phone number), data brokers are the answer. We know that cybercrime groups like the notorious ransomware gang Conti use data broker services to find spear phishing targets and figure out what contacts to “name drop” within phishing scams.

But hackers are getting even more creative. Rather than targeting just the employees, they now also go after their families. In the recent attacks on Twilio and Cloudflare, cybercriminals got their hands on the phone numbers belonging to employees and their family members. The cybercriminals then sent them phishing texts.

Passwords Are Getting Weaker

It’s not just hyper-personalized phishing campaigns companies need to be wary of. Hackers also use employee PII to break into accounts. In fact, credentials are one of the main paths cybercriminals take to gain network access.

This isn’t surprising, considering that most passwords are comically easy to guess. Many people use PII like their birth date, child’s or spouse’s name, favorite color or sports team as their passwords/answers to security questions. Because this information is freely available through data brokers, bad actors can perform sophisticated dictionary attacks, writing scripts to brute force passwords with PII available online.

What You Can Do About PII-Fueled Cyberattacks

PII-based cyberattacks happen all the time. The ones we hear about are only the tip of a massive iceberg of risk. Most never become public knowledge. After all, no company wants to let its clients, customers or shareholders know that they were breached through such an obvious attack vector.

As a result, grasping the true scale of risk that employees’ PII creates can be very difficult. We do know, however, that PII-fueled attacks aren’t going away any time soon. We also know that the only way to reduce this growing risk is to limit how much employee PII is available on the surface web.

To protect this least-secured risk vector, companies need to get proactive about PII monitoring and removal. Having policies in place that prevent employees from using work emails for personal business and not mixing and matching personal and work-related devices are small steps companies can take to reduce employee PII on the web. This is one of the best ways to ensure that threat actors using these kinds of cyberattack techniques fail—by making it hard for them to reach employees in the first place.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Comments are closed.