With ransomware attacks skyrocketing, companies are assessing all the potential cyber vulnerabilities they have. Employees are the weakness in most companies' protection, and less-experienced employees are often the most likely to open organizations up to an attack.
Rash Decisions and Digital Dossiers
Fully 85 percent of data breaches in 2020 included a human element, according to Verizon's 2021 Data Breach Investigations Report. Ransomware attacks were found in 13 percent of human-related breaches and are projected to increase this year—and that's after doubling in frequency last year.
An October 2019 survey by technology services company NTT revealed that younger workers are typically more careless about cybersecurity than their older counterparts and thus more likely to open their employers up to attacks. Workers under the age of 30 scored lower than 30- to 45-year-olds and 46- to 60-year-olds in terms of good cybersecurity practices.
But the problem, according to NTT CEO Matt Gyde, isn't that they don't understand the need for cybersecurity; for younger workers, cybersecurity is ingrained. Rather, their recklessness stems more from their fast-paced approach to work and life. "They expect fast resolutions … and detest having their productivity derailed," he wrote in the report. "This can lead to risky decisions."
According to Stu Sjouwerman, CEO of the cybersecurity awareness training company KnowBe4, young people are more likely than older employees to click on a bad link. While they tend to be much more comfortable with technology, they are perhaps a bit too comfortable. "Young people grew up with the Internet," he said.
Brad Deflin, CEO of TotalDigitalSecurity, noted that while young people are generally more tech-savvy when it comes to maneuvering around the Internet, they also tend to be far more reckless. "They're living their financial lives on Venmo, and they're sharing some of their most compromising experiences publicly," he said.
Cybercriminals scour the Internet for information to exploit the employees of companies they are targeting. So when workers post excessively on social media, they provide bad actors with a potential treasure trove of material to use. For example, if an employee is on vacation and posting photos on a public Instagram page, a cybercriminal can see that that individual is not in the office. Since the employee is also likely not checking e-mail, the criminal can impersonate the employee by sending a spoofed e-mail to another staff member. A successful impersonation attempt could include a malicious link or dupe the recipient into initiating a money transfer.
Furthermore, posting potentially embarrassing content on social media can haunt people throughout their careers. It doesn't necessarily even have to be illicit activity, but simply activity that a prospective employer could find and use to decide a job candidate is not the right fit. "You're creating an eternal, digital dossier. It's written in stone; you will not erase that," Deflin said.
Stepping Up Training
Sjouwerman urges companies to do a better job of training their younger employees to identify phishing attacks. In fact, departments may want to consider adopting some type of cybersecurity quiz when onboarding new employees. While most companies require employees to go through some type of cybersecurity training, actually testing job candidates may prove beneficial.
Although Sjouwerman isn't aware of any organizations that are currently administering cybersecurity tests on job candidates, he thinks it is a good idea. "There are many tests being run by HR departments in the hiring process," he said. "And I would envision that this would be one of the new skill sets that they could test."
Deflin agreed that testing job candidates would help employers get a sense of whether an employee is going to take cybersecurity seriously. "I would have to think it through from an HR standpoint to see if it was consistent with a firm's policies and culture," he said. "But it seems, on the surface, to make some level of sense because somebody that comes in and is totally apathetic and reckless can be a true liability."
However, Deflin believes it would be more effective for organizations to provide employees with cybersecurity training that goes beyond compliance. He stressed that employees need to understand that good cyber practices aren't just about protecting the company's bottom line; they are about survival in the digital age. "What we've found is that when you personalize these issues in training and education, the level of interest goes up, the retention of behavioral change lengthens and the results are much better," he said.
Of course, all this also requires good defensive technology. Deflin recommends companies provide their employees with security solutions they can use not only on their work computers but also on their own personal devices. "That is where awareness spikes up; that is where behavioral adaptation goes up," he said. "I think that we have to prepare the people around us to think critically about things we have never seen before when it comes to cyber and digital."
Cybercriminals are now using artificial intelligence, and for companies and individuals who are unprepared, this can be a game changer. This technology can target 10,000 different employees at once, and each attack can be customized. "I think in the following 12 to 18 months, we're going to see a lot of that type of activity that is going to knock some folks around," Deflin said. "So we've got to equip people with the skills and the context to think critically when they're in front of something they may have never seen before. And that's the challenge."
[Want to learn better ways to train your employees? Join us at the SHRM Annual Conference & Expo 2021, taking place Sept. 9-12 in Las Vegas and virtually.]