The human factor, how employees make your business vulnerable
Updated at: Oct 01, 2019
Cybersecurity is an increasingly recurring subject within companies. In this context, much has been discussed about the responsibility and role of employees in ensuring data and information security. That's why, when we talk about cybersecurity, we come across terms like human factor, human failure, and insider threat. There is no exaggeration in saying that an employee can put an entire company at risk.
To get an idea about the issue, according to the 2019 Verizon report that analyzed more than 40,000 security incidents worldwide, about 35% of all data breaches occurred due to human failure. That is, unprepared people or employees. It's a high percentage. That's why we say and repeat: companies need to invest in security awareness and advanced protection tools and software.
Another interesting data that reinforces the concern with the human factor is that cyber attacks main targets are decision makers. According to Verizon, C-level executives are nine times more likely to be targets of social breaches. It means, in practice, that the effects of an attack can cause great harm and loss.
We even say here at Gatefy that thinking about education and security awareness is just as important as thinking about protection software and tools. Imagine that an employee executed a malicious attachment received by email in a phishing attack. Undoubtedly, an advanced email security tool combined with training would have practically prevented the infection.
How hackers target employees
When we talk about human factor as the cause of a data breach or a backdoor, we're talking about different factors and elements. For example, sending confidential information by email to the wrong people. Or publishing secret data on public websites.
But for now, I'd like to stick to more tactics, methods, and scams that are used by hackers to exploit the human factor. That is, to target and exploit company employees. And when I say companies, I'm talking about businesses of all sizes.
Let's take a look at the list we've prepared.
1. Social Engineering
Social engineering is a method that uses research and persuasion. Basically, hackers take advantage of information that is available on the web to better know the victims and create personalized scams. Social engineering is the basis of phishing and spear phishing scams.
2. Domain spoofing
Domain spoofing is a tactic used by criminals to commit scams on the internet. Spoofing consists of creating fake email addresses and websites to trick people. Like social engineering, spoofing is widely used in phishing, spear phishing, and spam campaigns.
3. Phishing and spear phishing
Phishing and spear phishing are scams. They happen when a criminal impersonates a person, company or government agency with the purpose of deceiving someone. The vast majority of phishing and spear phishing scams occur via email, but other means are also used, such as phone calls.
4. BEC (Business Email Compromise)
The acronym BEC stands for Business Email Compromise. BEC is a type of spear phishing. It deserves prominence on our list because it's one of the top threats to companies. It occurs when an attacker compromises a corporate email account and then impersonates the email owner to deceive others. According to the FBI, BEC attacks have caused losses of more than USD 1 billion in 2018. It's one of the worst types of cybercrime.
5. Payroll diversion
Payroll diversion is another cybercrime that causes huge losses to companies and targets employees. It happens when cybercriminals use phishing emails to steal employee login credentials. Then, these credentials are used to access employee accounts and commit fraud. According to the FBI, in 2018, losses involving payroll diversion were estimated at USD 100 million.
The malicious employee
So far we've been talking a lot about the profile of an unprepared or inattentive employee. They are people who interact, for example, with malicious emails, clicking on links and downloading suspicious attachments. But there is another employee profile and this one is even more dangerous. Let's call him a malicious employee.
A malicious employee most often does justice to the term insider threat. This type of employee sneaks passwords, steals data, and causes vulnerabilities in the system purposefully, whether to get financial return or to help a rival company.
Let's take as an example the case of Tesla, which, in 2018, sued a former employee. He was accused of hacking the company and transferring confidential and secret information to third parties.
The best way to strengthen your company security is investing in ongoing training with all employees, especially those who aren't from the IT department. It's important that everyone knows how to identify different types of threats, such as phishing and spam. This helps a lot to avoid data breaches and infections.
Another key point is to limit employee access to all types of information. For example, a marketer doesn't need to have access to information from the finance department, and vice versa. This simple measure can prevent major headaches.
Investing in creating an incident response plan is another valuable tip. And, of course, be sure to choose wisely your software and protection products against malware, phishing, spam, and other types of threats. Only then will your company be even safer.