Employees typically access 59 risky URLs per week, or 8.5 per day, according to new data. That’s more than once per hour in an eight-hour workday. Depending on their knowledge of the threat landscape, corporate employees can be as dangerous as an external cyber-attack on the company – especially if those employees are working remotely.
According to a Bitdefender survey of 6,724 IT professionals across the globe, 86% of businesses agree that cyber-attacks have been on the rise during the COVID-19 pandemic. More than one in three (34%) say they fear employees are feeling more relaxed about security issues because of their surroundings, while others say that employees are not sticking to protocol, especially in terms of identifying and flagging suspicious activity. IoT as an attack vector is also up by 38%, underscoring the dangers posed by our convenient smart devices sitting on the same network as the corporate laptop.
Cybercriminals increasingly banking on the human factor
A key data point in the Bitdefender study shows the culprit behind most successful attacks. Phishing and whaling are the most common type of attacks to see a spike during this period. In short, malicious actors are targeting and exploiting human fallibility.
This doesn’t come as a surprise. Cybercriminals have been successfully leveraging lapses in human psychology in social engineering schemes for years. Today, with our senses hyped by social media, fake news and, of course, the pandemic, it’s easier than ever to fall victim to a scam. Phishing emails preying on our COVID-19 fears promising to deliver testing kits, cheap protective gear, key information about vaccines etc., have dramatically increased in numbers.
Data from a similar study published in June shows a 200 percent increase in business email compromise (BEC) attacks focused on invoice or payment fraud from April to May 2020. The jump advances a trend observed throughout the year. In a notable example, an attacker impersonated a vendor and methodically engaged employees in a typical BEC scheme, persuading them to change banking details and redirect a $700,000 payment to the attacker’s account. BEC is the top reason why businesses make a cyber insurance claim, according AIG.
Email borne attacks also harbor malware. In the healthcare sector, ransomware attacks freeze critical systems and threaten lives, as unscrupulous cybercriminals have one thing on their mind – financial gain. These tumultuous times call for a new approach to cybersecurity. And it’s becoming increasingly clear that this change must start at the heart of the problem – with the human layer.
Human risk analysis
Striking a good balance between productivity and security yields tensions, if recent history is any indication. Employees become overwhelmed due to the complexity and pace of change, often resorting to unorthodox ways of getting their job done, like sidestepping security protocols.
Remote work scenarios reduce the control levers the organization has over how employees behave (less network security controls, no physical controls, etc.). This places a higher level of responsibility on the users (which networks they connect to, who has physical access to their devices, etc.). Tightening the security controls and restrictions on the endpoints may sound like the better option, given the circumstances, but then we circle right back to the balance between productivity, controls and user frustrations.
To address this problem, clever cybersecurity minds have devised a way to aggregate risk data and address human error rapidly and efficiently. Security solutions that embody human risk analysis promise to offer a golden-ratio approach, allowing more flexibility for the user, while keeping an eye on user behavior to create an individual risk profile. This enables IT administrators to act with surgical precision, increase security controls when and where they are needed, and even conduct training for staff members that need to get a better grasp on corporate security.
Let’s recall the worrying number of risky URLs accessed by a staffer daily. Equipped with a risk analytics engine, IT admins can get timely alerts when:
- Employees access one too many risky sites in a given time frame
- Users get infected after accessing resources on the web
- A certain user on the network tends to get infected with malware on a regular basis
- A staff member periodically forgets to renew their access credentials or fails to follow-through with standard cybersecurity practices
And the list goes on.
With stronger integration between security posture assessment and security controls, IT administrators can toggle between automated and semi-automated mitigation, increase monitoring focus on individual risky actions, and automatically deploy security awareness training when and where it’s needed the most.
Starting with 2020, the first sane step towards achieving a robust cybersecurity posture is to reduce user actions that generate risk.