How Employees Can Become Unwitting Aides to Cybercriminals? – Cybersecurity software has advanced significantly over the years that they have become highly effective in detecting and blocking threats or attacks. However, one weakness in almost all organizations that have remained easy to exploit: humans.
Employees or the people in organizations, in general, are still the weakest link in cybersecurity. The advancements in software and even appliance-based cyber defenses still struggle to keep humans from becoming an issue in cybersecurity systems. Many find it difficult to strike a balance between security protocols or restrictions and efficient business operations.
Described below are three of the common but still largely solution-less ways used by cybercriminals to turn employees in an organization into unwitting assistants in a cyber attack. Also presented are the recommended solutions for each of the weaknesses.
Downloading and installing malicious software
How bad is the employee-driven problem with malicious software or malware? In the healthcare sector alone some years ago, one study found that employees download new malware every four seconds. Imagine how the numbers have risen over the years.
Malware or malicious software can be unwittingly downloaded and installed by employees after they click on ads and respond to the deceptive train of pop-ups, modal windows, and dialog boxes that follow. They may also be getting the malware by carelessly viewing and downloading email attachments or by receiving files through messaging systems.
Most people who are not sufficiently acquainted with the way things go on the internet can easily fall for deceptive schemes that make them download and install malicious software. Many of such software are designed to delay their activity to avoid immediate detection. They slowly unfold their functions until they are finally ready to execute their intended purpose in full and spread the infection to other devices.
In 2013, Target figured in a data breach that exposed around 40 million customer payment details. Hackers achieved this through a phishing attack that targeted a Target partnering company to steal customer data and later on installed malware on Target’s system to obtain the debit and credit card information. This attack cost the company $18.5 million to settle a class suit.
Solution: The installation of unwanted and damaging software or malware can be easily prevented by blocking the ability of work devices to install new applications with the approval of the IT team. However, with the growing popularity of BYOD (Bring Your Own Device) policies, this solution may no longer be as viable.
A better way to deal with this problem is by educating employees and instilling the habit of being extremely cautious when dealing with email attachments, executable files, and other unfamiliar or dubious files. Also, it greatly helps to undertake continuous automated penetration testing. This security measure simulates threats or attacks to spot the loopholes that need to be plugged. It can determine weak security controls or the absence of measures that could have blocked unwanted app installations.
These security tests may integrate the MITRE ATT&CK framework to take advantage of the latest cyber threat intelligence from around the world. The updated information about the most recent attacks or adversary actions helps in quickly identifying the novel and creative ways hackers are exploiting security weaknesses.
MITRE ATT&CK notably includes useful insights on social engineering techniques to help organizations implement measures to prevent these attacks from defeating security controls while guiding organizations on crafting policies that significantly reduce the success of social engineering tactics.
Being unwitting accomplices to the crime
Companies go the extra mile to keep their bank account details and other important information protected. They secure the login credentials to their bank accounts, online wallets, and financial records to prevent theft or the misuse of information that leads to losses and other adverse outcomes.
Is it possible for cybercriminals to steal an organization’s money without obtaining the bank or online wallet login credentials? Unfortunately, the answer is a definite yes, and this has been demonstrated by several instances in the past. High-profile social engineering-based attacks have rendered security controls of well-known organizations and personalities ineffective.
One example is a phishing scam that targeted Shark Tank investor Barbara Corcoran. Her bookkeeper fell for the scheme of a cybercriminal who impersonated Corcoran’s assistant to request a renewal payment for real estate investments. The bookkeeper sent $388,000 to a “false bank account in Asia” in response to an email that used an email address similar to the one Corcoran’s assistant uses. In addition, real estate database template contains features like a relationship tracker and a birthday database wrapped up into a comprehensive real estate customer management software
“When she (the bookkeeper) showed me the emails that went back and forth with the false address, I realized immediately it’s something I would have fallen for if I had seen the emails,” Corcoran said, noting that she could not blame her employee for not realizing the sophisticated scheme.
Another case involves the auto parts seller Toyota Boshoku Corporation, which was hit by a business email compromise (BEC) attack in 2019. The company lost around $37 million after one executive was convinced to replace the recipient’s details for a payment the company regularly makes.
Even the internet giants Google and Facebook did not escape the sting of social engineering. The companies collectively lost $100 million in a business email compromise scheme. Google and Facebook unwittingly sent funds to scammers’ accounts thinking that the invoices they received were legitimate.
In these situations, cybersecurity systems are effectively bypassed. Hackers did not need to get into the organizations’ systems, as the employees or executives themselves cluelessly executed the core objectives of the attack.
This could have easily been avoided if they were using automation in their invoice processing. By doing so, they would make their accounts payable process fraud free.
Solution: The best way to address these situations is to educate employees more on how to identify possible instances of social engineering. They need to become thoroughly acquainted with the signs of possible phishing or other social engineering attacks. Additionally, protocols for accessing finances and company assets should be regularly reviewed and tested for possible security issues.
Weakening of security controls
If cybercriminals fail to trick people into doing their bidding or install malicious software, they also have the option to convince employees in an organization to reduce or temporarily disable security controls.
For example, the attacker may send simulated emails or promo materials to certain employees who have permission to configure security controls. These materials may include a component—an image or video—that is not viewable unless the recipient turns off real-time malware detection and prevention or other crucial cybersecurity functions.
Employees may decide to ditch the use of web application firewalls (WAFs) because they think it slows down their internet connection. Some may refuse to conduct compulsory file scanning whenever a new file is introduced to the system. Others may continue using unsafe apps or those that come from dubious sources.
Solution: Continuous automated penetration testing is an excellent solution for the problem of employees who are tricked into tampering with the settings of the security controls. The test will automatically find vulnerabilities and raise the necessary alerts or notifications, so they can be addressed as soon as possible.
The unintentional weakening of security controls is considered an insider threat born out of negligence. It is difficult to detect because of the presumed legitimacy or regularity of activities. As such, it has to be dealt with intelligently by harnessing the power of artificial intelligence, automation, and other cybersecurity tech improvements.
To prevent employees from becoming clueless or unwitting helpers to cybercriminals, it is crucial that they are given enough time to learn and understand the problem. They need to stop being unwitting by knowing more about the threats everyone is expected to face eventually