It didn't take long for cybercriminals to use the global pandemic to their advantage. One e-mail scam promised money from a COVID-19 "global empowerment fund" if recipients provided their bank account information. Another offered loans from the U.S. Small Business Administration for pandemic relief and included a malicious link to a spoofed SBA website that stole users' credentials. Still another promised early access to vaccines and stole personally identifiable information. Cybersecurity company Proofpoint reported that by mid-March 2020, 80 percent of all threats it scanned each day referenced COVID-19.
"Adversaries love chaos, and this was a time of chaos," says Emily Mossburg, Deloitte's global cyber leader. For organizations that rushed to enable employees to work from home, "they changed the landscape of their technology footprint drastically and very rapidly, with a focus on keeping the lights on and keeping business afloat." That sometimes meant taking shortcuts on security.
Security Risks in Hybrid Work
The world of hybrid work demands better security. "As we move to work anytime from anywhere, organizations should ensure that they have built-in security at the foundation," Mossburg says. In particular, organizations need to effectively secure endpoints—all those mobile phones, laptops and other devices employees use to connect and work from places other than an office
Technology is important, but the old expression that "humans are the weakest link" in any cybersecurity program seems truer than ever. Employee training is a critical line of defense as cybercriminals continue to prey on remote workers. "The easiest way into an organization is by tricking an employee to let you in." says Tim Sadler, CEO of cybersecurity company Tessian.
A Tessian survey found that 88 percent of data breaches involved human error.
And in a hybrid work environment, employees may pay less heed to the rules or simply be more likely to make mistakes since they're not in a formal office, especially if they're juggling family and other demands. In the Tessian survey, 43 percent of employees said they have made mistakes at work that compromised cybersecurity; 58 percent admitted having sent a company e-mail to the wrong person, often because they were distracted or tired.
"Every CISO [chief information security officer] I've spoken to is wondering what work-from-home means in terms of security, when there is zero distance between the office, the living room and the kitchen," says Robert Holmes, Proofpoint's vice president and general manager of email fraud defense.
To that end, executives would do well to encourage more cooperation between the technology side of the house and the people side. "This is an area where there's a huge opportunity for the CHRO [chief human resource officer] and the CISO to have a strong relationship," Mossburg says. First, they can team up on training programs to increase security awareness. Second, the CISO can help HR strengthen practices, processes and systems to ensure the security of employee data in distributed work environments.
The Cost of Cybercrime
Cybersecurity has become more urgent as the pandemic spurred a flood of social engineering attacks playing on people's uncertainty and fear. The result was not only an increase in the number of attacks but also substantially higher financial losses
Complaints to the FBI's Internet Crime Complaint Center were up 69 percent in 2020, claiming a total of $4.2 billion in losses, up from $3.5 billion in 2019.
The costliest type of attack was "business e-mail compromise" (when criminals send an e-mail message that appears to come from a known source making a legitimate request), which made up 43 percent—$1.8 billion—of the total losses. Phishing scams also rose dramatically. The amount paid in ransomware attacks rose in 2020 by more than 300 percent to $350 million, according to a report from the Ransomware Task Force, a team of experts from business, government and academia.
The cost of each individual data breach, on average, is also up. According to the Cost of a Data Breach Report 2021 by the Ponemon Institute and IBM Security, the average cost of a breach rose 10 percent, to $4.24 million.
The breach of customer personally identifiable information (PII) is the most expensive type of breach—at $180 per record—and it gets the most attention. But the breach of employee PII runs a close second—at $176 per record—and probably does as much damage as customer data breaches. Employee PII theft not only impacts individual workers but also saps company morale and can hurt worker retention and recruitment.
These breaches also supply cybercriminals with a treasure trove of data to use in other crimes down the road. With employee data, criminals can target individuals in ransomware attacks by, for example, encrypting all the data on their hard drive and demanding money to send the encryption key, says Larry Ponemon, founder and chairman of the Ponemon Institute, a research organization in Traverse City, Mich. An even more serious potential follow-up crime occurs when hackers use stolen information to impersonate employees and gain access to an organization's network.
Where the Money Is
The 2021 Data Breach Investigations Report from Verizon found that 61 percent of all breaches involved the theft of credentials, such as usernames and passwords. Credential phishing accounted for two-thirds of all malicious messages tracked by Proofpoint in 2020.
"Credentials are gold because criminals can use them in so many ways," Holmes says.
For one thing, these individuals can make cyberattacks less scattershot and more targeted. Take ransomware, for example. Two to three years ago, the most common ransomware crimes were "first-stage" attacks, Holmes says. In these attacks, hackers use botnets to send out millions of e-mails, hoping potential victims will click on the link. When the recipients do, the attacker encrypts the hard drive on their computers and holds their data for ransom.
Today, attacks are multistage. The bad guys do their research, identifying who might have privileged access—an IT manager, for example, or maybe the CFO—that permits them to access sensitive data. The hackers then target that person with a phishing e-mail that, when clicked, steals their credentials. "Now the cyber criminals can log in and do deeper reconnaissance," Holmes says. "They can see what's in that person's inbox or on their calendar. They can access the SharePoint server and discover the organization's vulnerability, then lock up all the data for ransom."
Criminals can also use the hacked account to send employees very convincing phishing e-mails that appear to come directly from company officials. In a recent case, an employee was convinced an e-mail was valid because it referenced the fact that the sender coached the employee's kid's soccer team, Holmes says. But the fraudster could easily find such personal information if he had the sender's credentials and had read e-mails in the "sent" folder.
Next-Generation Training and Testing
The vulnerability of humans to such social engineering attacks, and the waves of subsequent attacks that can follow, make cybersecurity training more important than ever. And it's no longer one-size-fits-all
"Some general broad training on the topic is important, but then target the training based on the role that an employee plays in the organization and how a cybercriminal might target them," Mossburg says. An IT systems administrator might get a tech-related phishing e-mail that lays out some believable reasons for needing to access credentials, while someone in accounts payable is more likely to get an e-mail about a wire transfer.
Mastercard has a dedicated team specifically focused on reducing human cybersecurity risk through education and training. "We use the concept of 'all, some and few,' " says Jon Brickey, senior vice president and cybersecurity evangelist for operations and technology. " 'All' employees need a base line of awareness, like 'don't click on links in e-mails that look phishy.' Then there's 'some'—for example, a software developer needs special training in how to write secure code. Then we have the 'few'—those who need very specific training and certification, such as penetration testers."
To make security-awareness training more engaging, Mastercard runs a virtual escape room. Similar to real-life escape room games, employees work in teams, finding and piecing together security-related tips to build a key that enables them to unlock the door and free themselves. For example, they may call out a password left on a note or a sensitive document left open on a monitor.
"This makes training fun and also helps employees to apply what they're learning," Brickey says. "You can't just shove slides at people and expect them to absorb the material and change their behaviors."
In fact, training has become more interactive, engaging and effective over the last few years, Ponemon says. "Some security vendors provide simulations so real that you forget you're in a class," he notes. Such experiential learning tends to put the lessons into context and make them stick.
What's Your Cybersecurity IQ?
Some employers have started rating employees on how well they absorb and apply their cybersecurity training. Last year, as the COVID-19 pandemic disrupted the workplace, Mastercard introduced a "SecurIT" score for each employee, Brickey says. The score comprises multiple metrics, such as how often the employee clicked on a link in a phishing simulation. If an employee has a low SecurIT score, that might trigger remedial training or even a discussion with their manager. The scores "help us to understand what the human risk is at Mastercard," Brickey says. "It's like a credit score, except for security behavior."
Cybersecurity IQs of individuals are important measurements, Holmes says, but he wants companies to build on that by combining them with other data. Proofpoint uses a construct in which it identifies which people are the most vulnerable (low scores), which people are the most frequently attacked and which people have privileged access.
"Imagine the intersection of those three circles. In the center is the perfect storm: a link-clicker who is frequently targeted and has privileged-access credentials," Holmes says.
By identifying who falls into that category, companies can provide more training to those specific people and tighten technical safeguards—like putting more controls in place to catch more potential phishing attempts. "That is where the next generation of security is headed," Holmes says.
Sadler adds that cybersecurity IQ scores should be updated regularly with new test results, and programs adjusted accordingly. "You can't just do it once a year," he says.
As companies adjust cybersecurity practices to protect them in a hybrid-work world, executives should remember that it's a process of continuous improvement, Mossburg says. She's had executives ask her whether a cybersecurity program was finished. "The bottom line is: You are never done," she says, explaining that organizations may need an initiative that focuses on closing security gaps, but they should always be embedding security awareness throughout the business. "Cybersecurity needs to become part of the fabric of the organization."
Tam Harbert is a freelance technology and business reporter based in the Washington, D.C., area.
SHRM provides advice and resources to help business leaders safeguard their organizations against cyberthreats.
Data Breach Report Emphasizes Cybersecurity's Human Element
For all the millions of dollars an organization might spend on security technology, employees' decisions and actions do the most to keep the company safe.
Taking a People-First Approach to Data Security
Despite years of exhortations to employees from IT and HR departments to take steps to protect data and systems, breaches still occur. What are organizations doing about data security to achieve better results?
Help Employees Understand the Importance of Cybersecurity
A personal cyberattack on an employee can create a huge burden for the organization—sidelining the individual for hours or days and potentially requiring security and IT support from the employer. What can and should you do to help prevent such a scenario?
With Ransomware Attacks, Déjà Vu May Be the New Normal
Unfortunately, very few, if any, companies are immune from cybercriminals' reach. What can you do to minimize your chances of being a victim? What should you do in case you fall prey to a cyberattack?
The Cybersecurity Challenge
With cyberthreats growing in sophistication, organizations will have to up their game by deploying significant and wide-ranging organizational defenses.
SHRM Resource Hub Page: Cybersecurity
Corporate digital security requires a real team effort. Employers can tap these resources for help improving their cybersecurity efforts in the workplace.