Cybercriminals are attacking businesses by exploiting the weakest link in the security chain – Employees. Attacks exploiting the human factor are far easier to pull off that attempting to find remote code execution vulnerabilities. They are also much quicker and less resource-heavy than brute force attacks. A single phishing email can be all it takes for malware to be installed on a network or for account credentials and sensitive data to be stolen.
The number of successful phishing attacks on businesses is increasing steadily, ransomware attacks have soared in 2019, and the cost of mitigating cyberattacks continues to rise. Despite the increased risk of a cyberattack occurring, and the high cost of mitigation, many businesses are failing to provide security awareness training to staff. One recent survey by Tessian revealed only one third of UK employees regularly receive security awareness training. 22% of employees have received no training whatsoever.
The importance of training has been highlighted by a recent study by Proofpoint. Its researchers say 99% of cyberthreats require some human interaction, such as the clicking of a link, opening an email attachment, or some other manual action. Without the human element the attacks could not possibly succeed. If employees are not provided with training and remain oblivious to the threats they are likely to see, they cannot be expected to take the correct course of action when a threat lands in their inbox. They are likely to perform the manual action that the attackers need in order to compromise their computer.
The Proofpoint study revealed some employees are targeted more than others. These Very Attacked Persons or VAPs typically have high level privileges and access to highly sensitive data, corporate bank accounts, and payroll systems. These individuals are targeted because their credentials are the most valuable. These individuals are also the easiest to discover online. According to the report, 36% of VAPs can be found via corporate websites, professional networking sites such as LinkedIn, social media sites, and industry publications.
These individuals are usually targeted in spear phishing campaigns during office hours. The emails mimic legitimate email patterns and are professionally written, with plausible lures to get VAPs to disclose their login credentials.
No company or organization is immune to attack, but some industry sectors are targeted more than others, especially those with a higher than average number of VAPs such as education, finance, advertising, and marketing. Education had the highest number of imposter attacks.
Companies that use Microsoft Office 365 are also extensively targeted. In fact, one in four phishing attacks last year sought Office 365 credentials. Since employees are being targeted, businesses need to ensure the workforce is properly trained and all employees are taught how to recognize phishing emails and other email threats. Training cannot be a one-time event when joining the company, and even an annual training session is no longer sufficient. Cybersecurity training should be provided much more frequently to ensure employees are made aware of the latest threats and tactics being used by cybercriminals.
“To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users,” explained Proofpoint in the report.