An employee receives an email consisting of a brief, compelling call to action — something like “Was this what you were talking about?” Recognizing a coworker’s name in the “from” line, the employee clicks on a link without a second thought … and heads straight to a phishing site designed by hackers to gather sensitive information.
Because of this scenario and similar cyber attacks, many of today’s most difficult security challenges fall under the rubric of “human nature.” Andy Daudelin, vice-president for Cloud and Cloud Networking at AT&T says that’s why “It’s essential that companies make things virtually effortless for their employees.”
While technology can help in the form of easily deployed, user-friendly security solutions, employees also need education on security policies and the need for compliance — especially since they increasingly are under cyber attack.
Today, every employee with a company-issued email address is only a click away from a potentially catastrophic security breach. Everyone from office staff in corporate HQ to road warriors checking email in coffee shops halfway around the globe is vulnerable to social engineering. Every employee is on the firing line.
That’s because spear phishing and other attacks allow cyber criminals to gain sensitive personal information, such as user IDs and passwords, and even physical addresses and social security numbers through channels victims trust. Spear phishing attacks employee data previously gathered via social media or preceding breaches to sharpen the tip of the spear, and can be highly effective. In a recent study, cybersecurity solutions provider Phish Me found that the spear-phished attack is the root cause of 91% of all major security breaches.
Once a victim is induced to click a link in an apparently friendly email, link shorteners or embedded links redirect victims to web pages visually indistinguishable from their legitimate counterparts, with the only evidence of fraud buried in a nondescript URL at the top of the browser window. From there, unsuspecting users may be induced to release information.
The most effective phishing schemes create a sense of urgency, pushing victims to click first and think later. Ironically, some phishing schemes piggyback on recently publicized security breaches, urging users to download updates or type in passwords to secure a system or account. The employee’s well-intentioned response backfires as he or she executes malware inside the company firewall, or reveals personal and company information.
Searchable public social-media profiles can provide hackers with most of the raw information needed to initiate socially engineered attacks without ever setting foot inside a company’s offices. Public-facing org charts with enumerated roles and responsibilities, social-media accounts including family member and coworker names, and other personal information are public and searchable, helping cybercriminals impersonate trusted individuals, and create those security-breaching clicks.
New Complexity, New Vulnerabilities
The adoption of bring-your-own-device policies and cloud services presents additional security challenges. According to Skycure’s 2016 Mobile Threat Intelligence Report as much as one-third of mobile devices present a medium-to-high risk of exposing sensitive corporate data. More than one in five uploaded documents may contain sensitive information. While protected in transit, only 9.4% of this data is encrypted when at rest on cloud servers, creating new opportunities for hackers to steal data, using stolen credentials.
Keeping on top of the many file-sharing services and mobile applications in play also presents constant challenges for IT managers, as they work to balance security with the ever-increasing flexibility demanded by modern work environments.
The increasing strain placed on IT security professionals and managers, along with the multi-front warfare waged by cyber attackers on everyone in organizations large and small, means every employee must become every organization’s first line of defense.
Meeting the Challenge: Cyber Security as a Shared Responsibility
Managing the complexity of the typical enterprise’s more than 30 different security products often requires the participation of frontline employees, who now are called on to be vigilant as they never have before.
Yet in the face of rapidly evolving cyber threats, a recent survey of 287 U.S. IT professionals by IDG publications Computerworld, CIO, and CSO, found 56% of companies reported having not updated their information security models in the last three years. Many IT managers admit to feeling outmanned and outgunned by the growing hacker armies.
As the lone-wolf hacker is supplanted by well-funded teams supported by governments or other organizations, the need for engagement by every connected employee within the enterprise becomes critical. Employee security education often becomes the logical choice to defend and prepare complex networks for effective responses to these new security threats.
“As the bad actors continue to become more creative and advanced in their attack methods, we will be doing the same with our identification and defenses to help mitigate whatever they’re doing,” says Alex Cherones, director of Threat Security Solutions at AT&T. “It’s a game of cat and mouse.” That means even employees not traditionally associated with IT security must do their part.
Clearly, the rapidly evolving security challenge is too big to be addressed by any single team or single stakeholder within the enterprise. With that in mind, involving everyone in an enterprise who may be affected by a cyber attack — and coping with the inevitable breaches to come — developing, and practicing incident-response procedures have become keys to information security best practices.
Proper incident response requires all hands on deck in the form of cross-functional teams, including input from the C-suite, IT, security, legal, and others across the organization, as well as partners and vendors. This incident response must be drilled and tested to determine effectiveness and improve ability to mitigate risk.
“Hackers and vandals are now so sophisticated, it’s nearly impossible for individuals to spot and stop threats,” says John Donovan, chief strategy officer and group president for Technology and Operations at AT&T. “The network itself must become a security tool.”
In short, to err is human, but to protect and prepare is divine. For more information about how you and your organization can respond to today’s rapidly changing security environment, click here [URL].