In recent years, the focus of hacker attacks has shifted from IT devices and apps to IT users; the human factor – our weaknesses and shortcomings – is what brings the most value to cyber-criminals. The targets of phishing attacks are primarily business users and, increasingly, also executives. Regarding this shift, the critical question is no longer how you can ensure your organisation’s cyber security but how you can ensure your own security and that of your users.
In business environments, we face two primary challenges:
- how to manage threats coming from outside and
- how to manage and address insider threats, whether intentionally or unintentionally caused by users.
As users are an increasingly important link in the chain of cyber attacks, this blog post focuses on insider threats. Additionally, malicious messages often look just like real and legitimate ones, and phishing has become increasingly challenging to identify.
Insider threats are the means of successful phishing attacks
The term “insider threat” might sound too reminiscent of totalitarian systems and internal (political) enemies. However, a cybersecurity threat to the IT system can actually result from inappropriate user behaviour. This is a fairly frequent issue in business environments – between 2018 and 2020, the number of insider threat incidents increased by 47 %. Generally speaking, any user granted access to business assets is a potential insider threat; these assets range from sensitive data to controlled premises and buildings. The right of access is inevitably connected to a certain level of responsibility. The moment users neglect their responsibilities, they become a threat.
According to CISA (Cyber and Infrastructure Security Agency), insider threats are categorised as**:
- unauthorised disclosure of information,
- corruption, including participation in international organised crime,
- workplace violence,
- intentional or unintentional loss or reduction of business resources or capabilities.
Insider threats can be intentional or unintentional
Each of these threats can be divided into three categories:
- unintentional threats
- negligent threats
- malicious threats
Malicious threats arise from a user’s personal motivation to consciously act in a way that causes harm to an organisation. In this case, the users may be very cybersecurity aware, but their personal interests override their moral responsibility. Addressing such threats is more a matter of HR and management. The cause of such behaviour might be personal dissatisfaction with the job and the relationships at work, or the user may want to use the data to take advantage of it in the next job.
The second category is negligent and unintentional threats. These are threats that users may not even be aware of or may not be aware of their responsibility if they allow a threat to be carried out. With unintentional threats, the lack of knowledge or skills to identify threats is often a challenge.
We talk about negligence when a user is aware of the company’s security policies and the proper procedures but finds it easier to bypass them. A simple example of such a threat is when users do not lock their screens or leave confidential documents on their desks. Or when employees let the external visitor into the premises and allow them to move freely around, even though they know this is against internal rules.
Probably the most dangerous group of insider threats are those where users are completely unaware they are causing a threat. The biggest problem here is the lack of knowledge and skills to identify threats. A few years ago, office desks were full of post-it notes with passwords. Today, the general awareness of the confidentiality and importance of passwords and their responsibility is high enough that you would probably have a hard time finding people who still write their passwords on a post-it note and stick it on the screen. A more significant issue is more sophisticated ways of gaining access to confidential information. Among them, phishing attacks are the most common, but there is also a lot of phone phishing (i.e. vishing) and other types of social engineering.
Phishing attacks are a picture of a very comprehensive strategy
Using the web and online tools requires two things: awareness and alertness. Building awareness in your business environment means constantly educating users about different types of attacks and the elements in attacks. We’ve written about this on our blog before, so here’s just a quick reminder: if a person asks you to act quickly and create time pressure, cut off the communication; never communicate passwords, log-in or bank details by e-mail or phone.
While alertness is usually associated with other spheres of life, it is also essential to be aware of your actions and surroundings when using IT tools and the web. We need to be aware that the sender of an e-mail or the person on the other end of a telephone connection is not just an individual. There are entire organisations behind these malicious messages, and they have teams trained to carry out social engineering. Their staff are skilled in manipulating the recipients of messages.
The first goal of an attacker is to gain your trust. The attacks are carefully designed and structured, trying to get as much information about the victim as possible, identify their online behaviour and dynamics, and personalise their messages as much as possible. These types of e-mail attacks are called spear phishing, and it is challenging to distinguish them from legitimate messages.
In the following stages of an attack, attackers rely on your emotional responses. When you trust someone, you want to be polite, compassionate and helpful. This can prove problematic, especially when physical access is involved (e.g. when someone “forgets” their card to access the office). There is also a sense of respect for authority and a desire to get (especially problematic) things sorted out as quickly as possible. This can lead to rash and hasty decisions.
Fear is also a significant emotional component. When the attack scenario is about unpaid bills, cancellation of an account and, in the next phase, threats of court hearings, fear quickly overrides rational thinking and checking the attacker’s identity. Fear is also an important factor when attackers claim that they will disclose information about our (allegedly) dishonest dealings.
Another card that attackers can play very successfully is desperation. In times of natural disasters, pandemics, and financial collapses, society has a greater desire and need to solve personal problems. These are often linked to the individual’s financial situation. In such circumstances, unrealistic offers to quickly earn large amounts of money can thrive very well.
Another old strategy that still works well is to exploit natural human curiosity. This can be in the form of e-mails inviting with interesting (often intriguing) content or misplaced USB sticks aimed at the finder to check what’s on it and, in the process, download a malicious file.
Become a human firewall in your business IT system
As a user on the network, you need to keep our eyes wide open at all times. No message or call should be taken for granted, and there must always be a sense of doubt. Even if you know the recipient’s name, check whether the message is genuine if the content seems odd. And if a phishing attack is attempted over the phone, hang up without guilty conscinece.
If you receive suspicious mail, a phone call or think someone is trying to sneak into your premises, you should immediately inform the relevant authorities in your organisation. Discuss your doubts and feelings openly with your colleagues. You are probably not the only one who has had this experience; the more you talk about it within your company, the more likely you are to prevent attacks.
Strive to comply with security and access policies at all times and encourage your colleagues to do the same. Spread the awareness that every access implies a certain level of responsibility. Being given the access, you are also given the responsibility to protect the information you are allowed to access.
Most importantly, never share your passwords and other personal data, and encourage your colleagues, friends, and family to do the same. As cybersecurity experts, we repeatedly warn of social engineering and point out red flags of attacks; however, we are sometimes still taken aback by the number of cases when users share confidential information with attackers.
The key to cybersecurity awareness and alertness is continuous education and training in recognising social engineering attacks.
*Vir: Infosecurity Magazine: The Biggest Cyber-Threat Isn’t Hackers, It’s Insider Threats
** Vir: CISA
Simulated phishing attacks are an effective way to train employees to identify phishing attacks and malicious links.
Since users are the most vulnerable part of IT systems, regular security awareness training is crucial for a stable security posture.
Take advantage of free tools to test how social engineering simulation attacks work and how can they help you improve your cybersecurity posture. The toolbox includes KnowBe4 tools related to…