For any organization, continuously strengthening its cybersecurity posture is mandatory — especially in the wake of the recent surge of post-pandemic attacks. However, most cybersecurity strategies tend to focus on automated protection and mitigation, and only rarely look at things from the human angle.
That's a glaring oversight.
As a matter of fact, the majority of cyberattacks succeed because an employee made some kind of mistake. Even today, the principal attack vectors come from the oldest venues in the world — such as phishing emails, password thefts, and insecure Bring Your Own Device (BYOD) policies. In 2021, more infections were caused by phishing attacks than any other vector, according to an IBM report. (Also read: How to Keep from Getting Phished.)
With this in mind, teaching your employees how to protect themselves — and your systems — is a game changer as much as establishing a solid backup strategy to save your data.
Let’s have a look at the newest tools cybercriminals are using to trick your employees into compromising your data, and tactics you can implement to keep your data safe:
Techniques Putting You At Risk
Social engineering is a deceptively effective way to steal credentials and gain access in even the most securely protected network. It works by preying on the most vulnerable people to fraudulently extract or extort information, and it's mind-bogglingly effective: Social engineering reached over $250 million in damage just in 2020.
Victims of social engineering can be baited, lured or coerced into providing their legitimate access credentials in many ways — from posing as a tech department employee asking for info to impersonating a government agent who formally requests access. Deepfakes employing AI technology to create fraudulent images, videos or recordings of real people have made it even harder for humans to detect social engineering attempts.
Some of today's most sophisticated social engineering exploits are even backed by governments. Rogue nations and foreign national enemies upped the social engineering ante, and they’re using all weapons in their arsenals to achieve their malicious objectives, especially against rival governmental agencies.
Thus, modern cybersecurity awareness training must take social engineering fully into account. It doesn’t matter how many guards and/or meters of electrified fence protect your perimeter, you just need one person with legitimate authorization to access your precious vault where all data is stashed. (Also read: Business Email Compromise (BEC) Attacks Explained: Are You at Risk?)
2. Phishing-As-A-Service Solutions
Given how advanced natural language processing software has become, spotting a fake email is not as simple and immediate as it was before. And while they may look like a trivial threat, 90% of cyberattacks originate from email, causing nearly $6 trillion of damages in 2021 alone.
In fact, phishing is such an effective and popular strategy among cybercriminals that, now, some of the most entrepreneurial cyber-actors have started selling phishing kits in the form of Phishing-as-a-Service (PaaS) solutions. With prices ranging from $20 to $200, less skilled fraudulent actors can now pay other more knowledgeable teams to carry out their attacks.
PaaS service providers include template emails and websites, lists of potential victims and simple ways to mimic popular services such as Microsoft Office 365 OneDrive or Adobe Document Cloud. Some kits, such as LogoKit, can automatically pull the victim’s logo on the fake login page or scam email.
3. Convincing Forgeries
It's no secret that cybercrime spiked in the COVID-19 era. This trend continued as vaccines became widely available and cybercriminals began selling fake COVID-19 vaccination certificates online.
These forgeries appear "identical to those being issued by many [government-run] vaccination clinics," according to a CBC News article from 2021.
What's worse is that these fake vaccination certificates can leave the unwary vulnerable to malware infections and phishing attacks.
Tactics for Cybersecurity Awareness
1. Artificial Intelligence in Employee Training
Data indicates some less tech-savvy departments (such as sales) may reach miss rates as high as 40% — so you must administer proper training to help your employees spot deep fakes, voice cloning, and other elaborate attack schemes. This remains true even if your employees use their own devices since email headers and SMS are harder to read and assess on mobile device apps.
In short, your organization’s resilience is as strong as its weakest link.
Many organizations have already started implementing training courses to increase employee cybersecurity awareness, but if these courses can’t keep up with the complexity of actual threats, there’s not much they can do. Even worse, if these education programs are boring or time-consuming, employees will start ignoring them — and that's a breach waiting to happen. (Also read: Cybersecurity and You: Why Learning Now Will Pay Off Later.)
The gamified micro-learning approach Hoxhunt uses, for example, can go a long way towards capturing employees’ attention — making sure they truly check those emails and feel rewarded when they spot the bad ones. More importantly, this service's wise use of artificial intelligence (AI) features allows a much smarter rotation of potential threats to avoid making them predictable or obvious.
AI is able to learn which employees show the wrong behaviors and act accordingly to focus on those who need more training. It can also constantly integrate data from new threats to ensure the scenarios proposed are always fresh and up-to-date. That's why AI will be indispensable for the future of employee cybersecurity awareness training.
2. SIEM and UEBA
No matter how much you train your employees, things can still go awry. So, you should always have a secondary layer of security in place.
When someone still falls for the most ingenuous scam, the latest security incident and event management (SIEM) systems can still save the day by employing user and entity behavior analytics (UEBA). UEBA leverages AI to recognize normal user behaviors and spot suspicious activities. If a given user, for example, starts executing a malicious process on their device, UEBA can flag that behavior as potentially threatening and stop social engineering attacks the very moment they occur.
UEBA collects information from multiple data points and integrates them to establish a network's (and the people working on it's) normal, healthy status. Then, it constantly monitors both human behavior and machines’ statuses. If a server starts receiving too many requests at once, a signal is sent through the platform alerting that a potential distributed denial-of-service (DDoS) attack is being carried over.
Advanced UEBA platforms may even act on their own and enable security measures put in place to mitigate the damage or stop the attacker on its tracks. For example, a server can be shut down to prevent damage from spreading, while the human that initiated anomalous behavior has their connection severed.
Industry is developing services integrating some best practices to help organizations. For example, Cisco Umbrella is a cloud-delivered SASE solution consolidating multiple security solutions into a single tool. The result of this and resources likely already in the works, is a more resilient cybersecurity architecture and a streamlined network user experience.
No cybersecurity perimeter will ever be 100% safe, regardless of the technologies employed. Dangerous online bandits will keep lurking in the darkest corners of the internet, innovating new ways to lure those who lack the awareness to identify their fraudulent approaches immediately.
No matter how far technology can go, we still remain just humans, prone to mistakes and failure. So, it's vital to remain vigilant and fight back against cyberattack using equally sophisticated approaches. (Also read: Uncovering Security Breaches.)