By Zack Schuler, founder and CEO of NINJIO
Cybercriminals are experts at exploiting vulnerabilities. While security tools are constantly improving, cybercriminals’ tactics evolve right along with them – a process that sometimes makes cybersecurity feel like an endless arms race. Although cybercriminals will always find new attack vectors and continue to infiltrate organizations, this is all the more reason why company leaders should never be reactive with their cybersecurity platforms.
One of the most effective ways to resist cyberattacks is to understand why cybercriminals select certain targets and the tactics they use – as well as why they’re often successful. For example, cybercriminals launch phishing attacks because they’re cost-effective and easy to carry out, they can be scaled quickly, and most importantly, a significant proportion of employees can be relied upon to fall for them. Phishing is just one form of social engineering – an umbrella term describing any cyberattack that relies on the manipulation of human victims.
While companies should be prepared for a wide range of cyberattacks, they have specific vulnerabilities based on industry, size, and several other factors. When employees understand the risks posed by cybercriminals and understand the threat landscape, they’ll be in a stronger position to counter cyberattacks of all kinds.
Limit the attack vectors that put your organization at risk
There are many technical tools companies can use to protect themselves from cyberattacks, such as multi-factor authentication, password managers, and VPNs. However, many other tools that companies rely upon to increase productivity and facilitate communication have simultaneously made them more susceptible to cyberattacks.
For example, cloud-based workflow and collaboration solutions have become ubiquitous. While many of these resources can be used safely, it’s crucial for employees to understand best practices on data sharing, account credentials, and an array of other issues that have clear cybersecurity implications. Moreover, companies have to be cognizant of the fact that employees often use unsanctioned devices and solutions, which may not have the same account safety features as official resources.
The number of Internet of Things (IoT) devices has exploded in recent years – there are now billions of these devices, and the number will only continue to soar. By 2025, McKinsey predicts that IoT will have an economic impact of between $4 trillion and $11 trillion. However, this means cybercriminals have an ever-expanding array of new attack vectors – from omnipresent “smart” devices (which are filling homes and offices) to cloud solutions that were adopted much more widely during the COVID-19 pandemic. Add to all these vulnerabilities the fact that remote work will remain the norm for the foreseeable future, and it’s clear that companies have a drastic influx of new cyber threats to address.
Understand the origins of cybercriminal behavior
One of the biggest mistakes companies will make in the coming years is to treat all of these emerging threats as mere technical problems that can be solved with the tools we discussed at the beginning of the last section. In reality, a lack of cybersecurity is fundamentally a cultural problem – social engineering is by far the most prevalent type of cyberattack, and threat actors who use it will always find a way around technical security mechanisms. This is because those mechanisms are managed by human beings, who are liable to be deceived, coerced, and manipulated into providing access to secure systems.
A survey conducted by the Ponemon Institute found that 60 percent of small and medium-sized businesses that were victims of a data breach attributed the infiltration to negligent employees or contractors. It’s no wonder that cybercriminals consistently target human beings – the vast majority of people reuse passwords, fail to regularly update their applications, use public WiFi without a VPN, and consistently ignore even the most basic cybersecurity guidelines. Meanwhile, a staggering 30 percent of workers report that they’ve clicked on a phishing link over the past year, while almost half say they’ve clicked on an unknown link at work.
There are many natural tendencies and blind spots that cybercriminals prey on: curiosity, a demand for immediate satisfaction, pressure to work more efficiently, and so on. To protect themselves from these attackers, employees have to start thinking like them.
How thinking like a cybercriminal can keep employees safe
Emails and other messages containing malicious content are always coercive: they threaten respondents, tell them content is time-sensitive, present themselves as authorities, create an illusion of legitimacy, and use many other strategies to compel employees to click. This is why many cybercriminals viewed COVID-19 as a golden opportunity – people were frightened of the disease, desperate after being laid off, and hungry for any pandemic-related information or assistance. These are all reasons why government agencies like the FTC had to issue alert after alert on COVID-19 scams.
When employees receive a suspicious email or any other digital communication, they should ignore any coercive language and think: If I were a scammer, what would I say to convince a victim to click? By reframing their online behavior like this, employees will stop fretting about the demand that they “TAKE ACTION NOW” or fulfill some immediate request – they’ll instead have a security mindset that allows them to identify cyber threats as they arise. Employees should also know which types of information cyber criminals are after and adjust their behavior accordingly. For example, 80 percent of breaches include records containing personally identifiable information (PII), which refers to any information hackers can leverage to infiltrate an account. This is why employees should keep the amount of information they publish and share to a minimum.
While cybercriminals are always adapting and coming up with new ways to deceive and defraud their victims, there are many ways employees can anticipate and ultimately defuse these threats. This process begins with understanding how cybercriminals operate – from why they choose certain targets to how they manipulate victims. When employees are aware of the psychology of cybercrime, they’ll be able to fight back.
