theDocumentId => 1341261 Cyberattacks Are Tailored to Employees ... Why ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/17/2021
01:00 PM
Tim Sadler
Tim Sadler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?

Consider four factors and behaviors that impact a particular employee's risk, and how security training should take them into account.

Companies are spending significant resources trying to reduce security risk among employees. And they spend billions each year on training, yet major data breaches continue to make headlines, and human error remains the leading cause of a breach. Where's the disconnect?

Related Content:

6 Free Cybersecurity Training and Awareness Courses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

One major problem is that companies haven't adapted their security training as quickly as cybercriminals have evolved their attack methods. Cybercriminals increasingly target specific employees based on real-time factors like tenure, department, and location to make their scams more believable. To safeguard against these threats, security training must be as tailored and sophisticated as attack methods. 

There are a number of factors and behaviors that affect a particular employee's risk. Here are four of them, and how security training should take them into account.

Department and Job Function
Cybercriminals craft convincing scams by tailoring them based on an employee's department and role. They comb platforms like LinkedIn and company websites to find these details.

Security training should be tailored by job function and provide employees with real-world examples of the scams most likely to target them. For example, the CFO and finance department might be targeted by more business email compromise attacks like wire transfer fraud, and they should be trained on them accordingly. 

Human error also differs by department. For example, sales teams often have access to large swaths of personal information. Train these teams on how to avoid data loss risks, like sending documents or attachments to their personal emails.

Individualized training allows companies to prioritize training for employees with access to sensitive data, such as customer Social Security numbers and financial information, and for the departments that are most often targeted. For this reason, information on employees' roles and access should be automatically updated.

Employee Tenure
New employees are often specifically targeted by hackers, and social media makes this easy. Tessian found that 93% of US respondents post about a new job on social media. 

Because new employees are less familiar with colleagues and company security protocols, they are often less able to identify abnormal requests. Cybercriminals know this and take advantage of it. For example, they'll pose as an IT team member or customer service rep asking for login credentials to set up software or account permissions. 

Security training and tactics should focus on where new employees' vulnerabilities lie so they know what to look for. A careful review of security guidelines and best practices should be integrated into the onboarding process early on. 

Remote or In-Office Work
Security was a major challenge for many companies during the transition to remote work. Now they will face new hurdles with a complex shift to hybrid work. It's highly likely that cybercriminals will continue to target remote employees and take advantage of any uncertainty caused by the hybrid workplace.

Distraction is an important risk factor here. Over half (57%) of employees say they feel more distracted when working from home, while 47% cited distraction as the top reason for falling for a phishing scam. People tend to make more mistakes, like clicking a link without verifying an email sender, during these situations. It's also more difficult to verify a legitimate request from a colleague when you're not in the same location.

Employees should be trained on the specific security risks unique to working from home, in an office, or in a hybrid environment. 

Risk of Human Error
Security training often focuses only on risks like phishing scams that aim to trick employees. But simple human mistakes also lead to data breaches — for example, when an employee sends sensitive information to the wrong email recipient. The most effective tools will flag this behavior in real time as an employee is about to make a poor decision. Humans learn best in context, so training is best delivered in-the-moment rather than in lengthy modules that happen once per quarter.

Training has an important opportunity to make employees aware not only of general security risks, but also improve their individual behaviors over time. Do they download large amounts of sensitive data when they only need to access a small portion? Do they have a history of falling for phishing scams? Security reminders should be tailored to past behavior and delivered consistently. 

This is not about shaming or punishing individual employees. The goal is to arm them with specific, relevant knowledge based on their own workplace habits. 

Better for Employees, Better for Organizations
Tailored training is a win-win for both organizations and their employees. Instead of sitting through long, boring training sessions that interrupt productivity, employees' time can be spent only on the most relevant information. Training becomes more engaging and more memorable. Meanwhile, organizations save resources by making training more effective and efficient. The ultimate goal is to create a wider security culture that leaves the organization better protected overall. 

Cybercriminals are consistently refining their techniques to trick employees, while workers are put in charge of more and more data as companies digitally transform. Security techniques should, similarly, continually incorporate new methods and technologies. By analyzing unique risk factors and making security training both individualized and automated, security leaders can protect employees without disrupting their work.

Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.