Even a company with the most sophisticated cybersecurity tools and expert security teams can fall prey to cybercriminals if they overlook one area of vulnerability: their people. Humans can be distracted, intimidated and especially – misled. In fact, 97% of us can’t tell a phishing email from a legitimate one. Cybercriminals know this, which is why phishing attacks account for more than 80% of reported security incidents and why 54% of companies say their data breaches were caused by “negligent employees.”
Businesses of any size can fight back by providing their employees security awareness training and implementing other security best practices across their organization. This kind of cost-effective program can help your employees to understand cyber threats. That knowledge can empower them to protect your organization by spotting red flags and reporting them to IT.
Considering the many ways cybercriminals target employees and the costs of cybercrime to employers, it’s a wise investment.
Why do criminals go after employees when they attack companies?
Human nature is the weakest link in just about any business because employees can be:
Distracted: A busy employee may not realize an email that says it’s from the boss actually comes from a fake email address. That’s especially likely if an “urgent” message arrives at the beginning of the workday, while they’re still settling in.
In fact, the most popular time for criminals to send emails targeting workers with funds-transfer scams is 9 a.m. on a Tuesday. An employee who just arrived at the office or opened their laptop at home may hustle to fulfill the request, not realizing that the invoice they’re paying doesn’t come from the CFO’s real email address. That same employee might not think twice before opening an attachment in an email that appears to come from their manager, only to learn the attachment contained ransomware when it’s too late.
Pressured: Cybercriminals know that no one wants to be held responsible for causing a business interruption or missing an important meeting. When an employee gets an email saying their office’s power is about to be shut off if they don’t make a payment immediately, they may shift into reactive mode before they check the source of the message. Depending on the scammers demand, they might transfer funds or visit a phishing site to “log in,” which provides hackers access into their account.
Likewise, an employee who gets a message that they missed a meeting may follow the instructions in the notification and enter their Microsoft account credentials into a phishing site before they pause to check the source of the message or whether they really did miss a meeting.
Misled: Many organized cybercriminals are sophisticated about tracking executives’ schedules and crafting authentic looking emails to impersonate them. Some organized cybercriminal groups do this at scale by purchasing lists of executive contact information from legitimate data brokers – the kind of information that sales teams use for prospecting. One such group was caught with a list of tens of thousands of finance executives, which they were using to target the executives’ assistants with phishing emails and wire transfer scams.
Unaware: Password hygiene is a huge problem that puts personal and business data at risk. Many employees are unaware using the same password across multiple personal is a significant security risk. The reason many employees use the same passwords across all work accounts is simple – they can keep track of them all. In fact, 86% of Americans say they keep track of their passwords in their heads, rather than using a password manager. That means they’re using easy to remember passwords that are easy to guess or crack. Given that the average user has at least 70 password protected accounts, it’s unlikely that they’re all unique. However, most people don’t realize that their password shortcuts come at a price – they make it easy for criminals to break into all of those accounts with one “skeleton key.”
Many employees also aren’t aware of the full range of possible phishing channels, including SMS, voice and social media, in addition to email. That means they may let their guard down in those other channels, even if they’re careful when using email.
How do cybercriminals target employees?
It’s important to keep in mind that criminals are always trying out new techniques for stealing data and breaking into company networks. However, attack methods that target employees are consistently popular because they’re effective.
Phishing exploits the fact that almost none of us can spot a well-crafted phishing email. That’s a major reason that 94% of all the malware that infects organizations arrives via email. Worldwide, phishing attacks cost organizations $17,700 per minute by leading to theft of funds, data losses, and fines and lawsuits after breaches.
Business Email Compromise (BEC) is similar to phishing. It works by impersonating executives in email messages to people who work for them. These often sophisticated impersonations can trick employees into rerouting direct deposits and paying fake invoices. The FBI says BEC caused half of all US cybercrime losses in 2019, at a total of $1.77 billion.
Account takeovers happen when employees fall for phishing scams, use weak passwords or reuse a password that gets breached. The Ponemon Institute reported in 2019 that 47% of SMBs had been the victims of attacks that started when criminals compromised an employee password, at an average cost of more than $384,000. However, most companies don’t ensure that their employees use strong, unique passwords.
Man-in-the-middle attacks take advantage of employees’ insecure connections to company systems over public Wi-Fi, home routers that aren’t properly password protected, or vulnerable cloud-based conferencing tools. When attackers can “listen in” as data moves from remote employee to employer system, they can capture sensitive information like employee passwords and company financials.
To keep your business secure, train your employees to avoid cyberthreats on the job.
How can you help your employees stay safe and protect your company’s data?
Start by implementing security policies that require employees to verify “urgent” requests for funds transfers or requests to reroute payroll deposits should be double-checked by phone, via teleconference or in person.
You can also require your employees to use strong, unique passwords for each company account and device they have access to. Remote workers should only access your system and teleconferences via secure connections such as a company VPN, while avoiding public Wi-Fi and unapproved conferencing applications.
Remind your employees of security best practices. For example, everyone at your company should get in the habit of checking the email address, not just the sender name, for all incoming messages before responding. Your employees should also avoid clicking on links or opening documents in unexpected emails.
You can also encourage your employees who work from home to check and change their home wireless network and device passwords. Default passwords are usually available online and hackers can search remotely for vulnerable equipment to hack.
Provide ongoing security awareness training to employees to prepare them to be your first line of defense against cyberattacks. For example, SiteLock’s new Security Awareness Training and Phishing Simulation offers comprehensive employee resources to get better at spotting threats.
Security awareness training helps keep your employees up to date on the latest threats and gives them tools to avoid becoming victims.
Phishing simulations give your employees hands-on experience detecting and avoiding scams, without putting your systems at risk.
Convenient, quick delivery of training resources makes it easy to train new employees fast and lets current employees refresh and build their skills.
Continual reinforcement of cybersecurity concepts and best practices helps you create a culture of cybersecurity in your organization.
Employee progress metrics show you who’s got the basics down, who’s an advanced security-awareness student and who needs more review and support to stay safe.
Remember, cybercriminals target employees because they expect them to be the weakest link in a company’s security defenses. But with training, your employees can learn to protect your business and become important assets in your organization’s cybersecurity strategy.
Learn more about how SiteLock Security Awareness Training & Phishing Simulation can help your employees get cyber-savvy and protect your business against costly breaches and scams.