While many organisations spend thousands on preventative cyber security tools, many make the mistake of overlooking the fact that cyber criminals are spending less time relying on brute force to gain access to protected information and more time on manipulating or bribing employees into giving up personal information.
The Threat From Within
Research shows that 98% of cyber-attacks rely on social engineering, and the most common type of social engineering attempts are phishing attacks, which most organisations are woefully underprepared to address. According to new data, the first six months of 2022 saw 255 million attacks —a 61% increase in the rate of phishing attacks compared to 2021.
As more organisations support hybrid, social engineering threats are becoming more prominent, as cyber criminals realise that offsite employees are vulnerable to phishing and social engineering attempts, which attackers can use to harvest user credentials and gain access to internal systems.
With 2023 fast approaching, organisations will need to prepare to better combat social engineering threats if they want to minimise the chance of a data breach in the year ahead.
Employees are your first line of defence against social engineering threats, whether they’re in the office or working from home. If a cyber criminals tricks an employee into handing over personal information (such as by tricking them into logging in to an online portal on a phishing site), then the attacker is going to be able to access privileged information.
As a result, educating employees on the signs of phishing attempts and security best practices is critical for making sure they don’t fall victim to attacks and hand over information that could increase the risk of a data breach.
If you want to educate employees on how to avoid phishing threats, you can send out regular communication campaigns and training sessions that highlight security best practices such as:
- Avoiding clicking on email links and attachments from unknown senders
- Never having over personal information by phone, email or SMS
- Not being afraid to communicate with someone on multiple platforms to verify their identity
- Using multi-factor authentication to prevent unauthorised access to accounts
- Installing malware and antivirus to devices to reduce the chance of them being infected
Proactive Threat Hunting with MDR
While part of the responsibility for defending against employees falls on employees, human beings aren’t infallible. This means that the security team has a critical role in proactively hunting for phishing emails and containing breach events.
The problem is that many organisations struggle to process phishing emails in in-house environments because there are so many malicious emails that it takes analysts hours to process them each day, which takes them away from other important tasks they could focus on in the environment.
However, working with a Managed Detection and Response (MDR) provider can eliminate this challenge by providing you with support from an external security team who can continuously monitor your environment for phishing emails and automatically isolate them, so your security analysts can focus on other tasks.
Understanding what a phishing scam is, is one thing, but knowing how to detect them while you’re busy at work is another. The only way to train employees on how to detect phishing emails effectively is to offer them phishing simulations that allow them to practice identifying real-world examples of phishing emails.
Phishing simulations should be a critical part of your employee’s cyber security training because they provide employees with an opportunity to practice independently identifying scams that’s much more practical than written guidance or tutorials.
At the same time, you can also use phishing simulations to measure employee performance and calculate their level of security awareness. Employee performance helps identify security-conscious employees who are safe to work from home and less aware employees who would benefit from extra training opportunities.
With social engineering scams as popular and dangerous as they are, organisations need to take a much more proactive role in developing employee awareness so that they’re prepared to spot manipulation attempts in hybrid working environments.
Providing employees with training opportunities that teach them how to identify phishing attempts is vital to reducing the risk of breaches and ensuring there’s no unauthorised access to critical data assets. Ensuring employees aren’t disgruntled plays a major role in reducing the threat as well, a happy employee is a lot less likely to except a bribe or offer their services to cyber criminals after all.