As a CISO, you're always looking for the next big breakthrough to increase your organization's overall security posture.
Next-generation firewalls (NGFW), intrusion prevention systems (IPS), and sophisticated anti-virus software are great, but the answer to strong cybersecurity starts with your weakest link: your employees.
In fact, untrained employees are far more likely to lead to a breach than DDoS attacks or any other hacking technique.
In this article, we'll discuss why your team is your most significant security vulnerability. Plus, you’ll leave with a few ideas for protecting your organization from user deception, with the help of cybersecurity education, training, and testing.
CISOs are facing a more advanced cyber threat landscape than ever before.
Gone are the days of storing all company assets behind an office building's locked doors. Employees are now working from all different locations, and remote work is more prevalent than ever before. Every point of connection is a new point where a malicious actor can infiltrate.
Today, employees are not only working from all over the world, they are also carrying more devices than ever before. Smartphones are essentially just very portable computers containing a vast amount of corporate data— and that presents a threat.
The sheer volume of tools, apps, cloud technologies, and devices creates a point of entry at every turn. Does the average person genuinely know how to determine if a program is safe or malicious? Even if a tool or program isn't inherently malicious, an attacker could still use it as a means of entry if the creator did not design it securely.
There are so many potential entrances into a network that feels nearly impossible to protect them all. This advanced landscape forces CISOs to depend on their employees to know how to defend themselves to at least some degree.
Why Your Employees are Your Business' Weakest Security Link
Generally speaking, the average employee is not going to act maliciously on purpose. Sure, there are cases of malicious insiders that seek to wreak havoc on an organization out of spite or for monetary gain, but this is far less common than an employee causing damage by accident. According to KnowBe4, only 3% of attacks rely on malware to exploit a technical flaw; the other 97% rely on social engineering tactics!
Social engineering exploits every human's natural instinct to trust something that appears legitimate. Social engineers use Open Source Intelligence (OSINT) to gather information about their potential targets. Information on social media sites such as Facebook or LinkedIn and public-facing websites provide a plethora of data for a bad actor. Knowing enough about you, attackers can craft convincing and targeted attacks against you and your organization.
Without proper training on identifying a social engineering attack, employees are just sitting ducks for the attackers. Even with all of the security controls in the world, successful, sophisticated social engineering attacks occur. When an attack can transpire only using communication via a telephone, no software can protect you.
With all of this in mind, it's not difficult to see how your employees are your weakest link. Still, employees can also be your final and best line of defense if adequate cybersecurity education and training is in place. An employee that can quickly and accurately spot a phishing email is far more valuable than a spam filter that experiences false positives and false negatives.
The Importance of Being on the Offensive vs. the Defensive
In the world of cybersecurity, the best defense is ultimately being on the offense. Simply put, this means that CISOs must be proactive rather than reactive to potential cyber threats.
An offensive mindset involves a two-prong approach:
- Knowing about your organization's weaknesses before the adversaries do
- Training your employees on what a cyber threat looks like before the danger occurs
Simulated attacks against your organization, whether through full-blown penetration testing or a simple simulated phishing attack, allow you to have an in-depth understanding of where the organization's weaknesses lie. Of course, a full penetration test or Red Team engagement provides a deeper look into the organization— as a whole as well as the flaws that exist from both a technical and educational standpoint.
Understanding the techniques that your employees are most likely to fall for enables you to develop custom social engineering training against those tactics and strategies. According to a survey performed by KnowBe4, 84% of respondents stated that they could see a quantifiable decrease in social engineering attacks after implementing social awareness training to their employees.
Here are the top hacking techniques all CISOs should educate remote users about to get you thinking about the training your team needs.
Recent Enterprise Social Engineering Attacks
Don't think that it could happen to you? Renowned business expert and Shark Tank host Barbara Corcoran likely felt the same way. That is, until she fell for a phishing scam earlier this year that cost her a whopping $380,000.
In this case, the scammers did their research. The email address used to send the phishing email to Corcoran closely resembled Corcoran's assistant's email address. In fact, there was just one character different. The email contained an illegitimate invoice for $388,700.11 for "real-estate renovations." As Corcoran invests in real-estate, the email didn't initially raise any red flags for her.
Corcoran tweeted out after news broke of the scam stating, "Lesson learned: Be careful when you wire money!"
Barbara Corcoran isn't the only one to fall for a phishing attempt in recent years. In fact, there are countless examples of well-known public figures and organizations falling victim to social engineering attacks— one of the most notable being the Democratic party in the 2016 US presidential election.
Before the 2016 presidential election, malicious actors from Russia sent spear-phishing emails to members of the Democratic National Convention's network. The result was attackers gaining access to thousands of confidential and sensitive emails regarding the Democratic candidate Hilary Clinton's campaign.
Start Protecting Your Organization Today
As a CISO, there are two ways to improve your organization's security...
The first is investing in employee cybersecurity education and training to empower your employees to think before they click.
The second is understanding that even the most well-prepared can fall victim to crafty social engineering pretexts and opting for custom pentesting or red teaming engagements to spot your potential gaps in security.
Before pursuing either avenue, see how well your company is prepared for cyber threats.
Get actionable tips for protecting your organization in just 5 ½ short but high-impact steps by downloading our guide here.