Cybersecurity remains a hot topic. Information security related incidents continue to rise as we witness several of them every few days through the press. Behind them there are various causes, such as the exploitation of vulnerabilities in computer systems by third parties, social engineering attacks or employee negligence.
It is clear that if organizations want to protect themselves against the terrible losses that these incidents entail, they must take action and proactively defend against the threats that constantly lurk. As mentioned, information security can be compromised for various reasons and, although all of them are relevant, there is one that is becoming increasingly important and to which not all the attention it deserves is always paid: the human factor.
Attackers point their weapons at people with increasing frequency. This means that employees continue to be a gateway to organizations, since they have access to it and the information they handle, but they can also easily become a barrier against cybercriminals and other types of incidents. All there is to do is become aware of the risks associated with the human factor and propose effective measures to mitigate it.
For this reason, from Kymatio we bring 5 cybersecurity trends for 2023 associated with people so that organizations can propose a preventive solution that protects them against different threats and risks.
1. Rise of ransomware.
We are currently experiencing a wave of ransomware attacks that affect the information security of multiple entities. This type of malware “hijacks” the files, encrypting them to later ask for ransom money.
On many occasions, it is the organization’s own employees who allow this danger to materialize and, in the vast majority of cases, unintentionally.
Cybercriminals build increasingly sophisticated attacks that try to exploit people’s vulnerabilities. Fraudulent emails continue to gain credibility, especially through targeted phishing campaigns that can even rely on phone calls (vishing). Therefore, if employees do not maintain an adequate alert level throughout the year, the probability of falling victim to these deceptions skyrockets.
Phishing is not the only threat we face. As mentioned in the previous section, the sophistication of the attacks is increasing, and the appearance of deepfakes brings a new and powerful weapon to the table.
Thanks to these deepfakes, cybercriminals can create fake videos or phone conversations with the face and voice of known people. In this way, our ability to discern between reality and deception is reduced, making this type of attack one of the most effective.
Helping the workforce to learn to detect them and be prepared for their arrival at any time seems key for organizations if they do not want to see the security of their assets compromised.
Image by Pixabay on Pixels
3. Remote work
With the pandemic, the employees of the organizations were forced to transfer their work activity to their own homes. Although normality is gradually returning and many offices have reopened, it is safe to say that teleworking is here to stay. Perhaps not in all companies and not every day, but the considerable increase in demand for this way of working has meant that a large number of people now carry out their functions from home for at least a few days a month.
Of course, this allows employees a better reconciliation between the different areas of their lives and confers greater comfort, but it also carries a series of associated risks.
On many occasions, security measures are not as robust at home as they are at the office, and the greater support in technology when it comes to communicating with other colleagues does not help either. Cybercriminals are aware of this and take advantage of the breaches that can arise to craft attacks that target employees.
4. Zero trust
It may seem that this measure is purely technological, but nothing is further from the truth. Zero trust refers to carrying out identity tests and access control of any person to the different files and applications that are managed in an organization.
Guaranteeing that sensitive information can only be accessed by the people who are strictly necessary for the minimum amount of time is essential to reduce the risks associated with the human factor.
In this way, if an attacker were to steal an employee’s credentials and wanted to exploit their privileges, their job would be made more difficult as permissions were restricted. The same happens with negligence: to err is human, so it is not unreasonable to think that, at some point, we can all make mistakes. The problem is that if we make a mistake while handling sensitive data, the severity of its consequences can be unimaginable.
5. Mobile risks
If there is something that favors us being connected throughout the day, that is the use of mobile phones. We find it comfortable to use them and, due to their size, we can always carry them with us and easily handle them at any time. However, this also means that exposure to cyber threats is just as constant.
Despite the fact that the official application download platforms have filters to rule out those that could contain some type of malware or be fraudulent in any other way, sometimes cybercriminals find a way to circumvent these barriers. They disguise them as completely innocuous applications, such as flashlights or dictionaries in other languages, and the moment users download them, their security is compromised.
Nor can we ignore the various smishing messages that reach us through SMS or even WhatsApp. Messages from, supposedly, our bank, parcel delivery companies or even relatives and friends whose accounts have previously been stolen constantly reach us and seek to deceive us to get our data. Therefore, if we are not attentive, we could be victims of a hoax at any time.
It is clear that, to increase the security of organizations, it is necessary to take measures aimed at risk management. The human factor is the main focus on which cybercriminals set their sights, so it is essential to invest in this area. However, only 3% of security spending goes to it.
As we said at the beginning of the article, employees can be a gateway to threats or a barrier that protects the organization against them. The difference is in the state of alert they maintain throughout the year.
The way to rise this level is very simple and is within the reach of any entity: awareness. Or rather, adequate awareness.
Offering monotonous courses once or twice a year is not effective, nor is boring and dense content delivered to everyone equally. For an awareness program to be successful, it must be adapted to each employee based on their needs, training them in those areas that need to be strengthened. In addition, it must be recurring to prevent everything from being forgotten once these courses end.
Promoting a cybersecurity culture in the organization involves putting employees at the center and helping them stay protected both at work and in their personal lives.
Kymatio® helps organizations stay safe thanks to its SaaS human risk management platform. It offers automatic awareness plans adapted to each employee according to their needs and respecting their time through monthly sessions of 5-7 minutes. In this way they can raise their alertness and maintain it throughout the year.
It also offers phishing and neurophishing simulations, a type of simulation aimed at the vulnerabilities of each employee to strengthen them against attacks of this type.
Finally, the monitoring of exposed credentials helps manage the risk associated with the compromise of this information in third-party security breaches.