Employees are any organization’s best defense against cyber threats. They are also the biggest source of risk for any business.
However, not all workers are at the same risk. About 8% of workers cause 80% of incidents, according to a Cyentia Institute report using data from Elevate Security, a Mimecast company.
“There’s a subset of employees who are generally more aware of cyber security, and there are some people who just don’t have the same kind of security common sense,” says Masha Sedova, vice president of human risk strategy at Mimecast.
Furthermore, not every worker is attacked with the same frequency. Some employees are targeted more often, either because of their role or because of their access to proprietary information, Sedova says.
Consider these statistics which Sedova shared at a conference earlier this year:
- Almost twice as many admins are targeted by phishing than individual contributors.
- Administrators receive more than twice as many phishing emails as individual partners.
- Permanent employees are phished more often than new hires.
Knowing which employees are most likely to be targeted for cyberattack and who are most likely to cause an incident can change the way companies approach cybersecurity, Sedova says.
Human error is often to blame
Companies spend millions of dollars on technology without considering the human factor, which is the main reason breaches succeed, Sedova says.
THE Verizon Data Breach Investigations Report 2024 found that 68% of breaches involved a non-malicious human element, such as a person falling victim to a social engineering attack or making a mistake. “If we don’t understand the human element, all of our technology won’t be used to its maximum capacity,” he says.
Employees must be able to recognize when they are under attack. As an attack develops, they need to know how to spot signs that an attack is in progress and communicate with their organization’s security team, Sedova says.
Many employees are cautious when clicking on links. However, most workers are less aware of new phishing techniques that are harder to detect because artificial intelligence has made them more sophisticated. “It’s easier to make them personalized, more relevant, more relevant and with better grammar,” says Sedova.
Here are four dire cyberattacks that organizations should help their employees protect against.
1. Quishing
Instead of enticing employees to click on a link, attackers are using QR codes redirect employees to malicious websites or ask them to download harmful content;
“We see about 47,000 detections of these types of attacks per day,” says Sedova.
2. Fishing rifle
Instead of targeting anyone with a bank account, a spearfishing attack directed at an individual with access to specific proprietary information, such as a set of engineering documents or financial transfer information.
Artificial intelligence has made this type of attack harder to detect because perpetrators can create targeted spearphishing attacks for people using their LinkedIn profiles, Sedova says. Senior engineering leaders, accounting officers and financial officers are often targets.
3. Prologues
A phishing attack convinces an employee to do something on behalf of the attacker, such as sending a wire transfer or granting access to a file, Sedova says. In one major cyber attack last year, attackers impersonated an employee during a help desk call to obtain valid credentials to access and infect systems. The hackers used information found on the employee’s LinkedIn profile to pull off the trick.
Prefabrication is increasing in all industries. According to Verizon’s report, phishing and email phishing accounted for 73% of social engineering incidents.
4. Deep Fakes
These attacks are more common at companies with call centers or a customer support function that uses voice and speech as an authentication method, Sedova says. Earlier this year, a financial officer at a multinational company was tricked into releasing $25 million when attackers used deepfake technology to present himself as the company’s CFO on a conference call.
Tailor Training to Individual Risk Level
In addition to helping employees protect themselves from a range of phishing techniques, security teams should focus on better protecting employees who are most vulnerable to attack, as well as employees who are attacked more frequently, Sedova says. To help security teams train and protect workers, Mimecast recently introduced Human Risk Management Platform.
The platform aggregates data with security tools to determine which employees are making risky security decisions and who are being attacked more often, Sedova says. Just as a creditor gives each customer a credit score, the platform gives each employee a security score, allowing security teams to provide training and security checks tailored to each employee’s risk level.
If the security team can reduce cyber incidents by engaging the 8 percent of the most vulnerable employees, then the company will quickly see a return on investment, Sedova says.
“You can maximize your team’s focus, assets and resources and really reduce the number of risks,” he says.