How can organisations prevent employees from being exploited?

If you read our previous blog about insider threats to the legal sector you might recall that there are three types of insider threats facing organisations today. While not the most common, employee exploitation by external parties is a very tricky problem for any business to remove entirely (the other two are human error and malicious intent).

Although sophisticated cyber-attacks have become more common over the past few years, the weakest link in any organisation is still human behaviour.

As such, criminals are always on the look-out for ways and means into tricking company employees into handing over information, or accidentally giving access to user accounts or data bases. They want to find the path of least resistance to achieve their goals quickly and quietly. Broad-brush phishing attacks aimed at many unsuspecting employees in one sweep have repeatedly been successful in many industries. Spear-phishing attacks cleverly tailored to individuals are also effective, but take them more time.

People are the weakest link

Human behaviour remains the common weak link in cyber security, and it is without doubt the most targeted one in every organisation, even for those with the latest security technology. With more people working from home and with a large number working on multiple devices, including their personal smartphones and tablets, criminals have a larger ‘surface area’ to try to break into to get inside company accounts.

When it happens, the majority of employees have no idea that their accounts have been compromised. When criminals masquerade as employees inside IT ecosystems it’s very difficult for companies to tell them apart; they could be lurking there for weeks, months or years before ever being found out.

If they obtain confidential or valuable information they might use it in several ways, including to blackmail people into handing over money for the information or selling it on the dark web, or approaching other potential buyers directly. They might also encrypt data or systems until a ransom is paid to release them again.

Social engineering still brings success

According to Verizon’s 2022 Data Breach Investigation Report, threat actors employed social engineering in 82% of all breaches recorded last year. As in previous years, their main technique was phishing their targets via email, which made up 60% of all attempts.

Training employees in cyber security awareness is one way to combat exploitation. However, cyber threats are continually evolving as cybercriminals spend more time trying to stay one step ahead of the game. And organisations can’t be expected to keep refreshing their employee education in a practical and efficient manner. Furthermore, many professionals are time-poor and reluctant to take training in topics that aren’t essential to their day job. And many people incorrectly think cyber security is the sole responsibility of the IT team – who neither have the capacity nor the knowledge to handle it.

Phishing simulation and training

Phishing protection and simulation is a more precise way to test employees’ reactions to receiving different types of emails without them being aware that it’s an exercise. With the agreement of the business, a good cyber security company can run a tailored phishing campaign to identity which staff readily click on fake emails and fall for the bait. Based on the results, an appropriate plan of action can be put into place to improve awareness within the workforce.

While Verizon’s report claims that only 2.9% of employees clicked on phishing emails last year, that’s still a vast number of people and far too many opportunities for threat actors to work with. The good news is that more people are becoming better at spotting potentially dangerous emails and more are reporting them too.

Penetration testing and IT health-checks

There are two other very effective but simple steps that organisations could take to protect themselves in the event of a successful phishing attack. Penetration testing emulates the current real-world tactics, techniques and procedures (TTPs) used by criminals today. This authorised ‘attack’ is designed to identify weaknesses in a company’s security and also give concrete assurances about what defences are already working well.

With an IT and Cyber Security Health-Check, companies can get an in-depth review of their current security maturity against a recognised standard such as the National Cyber Security Centre (NCSC) Cyber Essentials Scheme and Cyber Assessment Framework.

Standard business procedure

Comprehensive security checks such as these are no longer luxury services; national security agencies including the UK’s NCSC, which is part of GCHQ, strongly recommend them as part of any company’s normal business activities. As cyber-attacks become more frequent and more sophisticated, and as the British government gets more serious about cyber security, they might one day become standard procedure across the UK’s digital economy.

Companies that have taken a bold, forward-thinking approach to their own security are already seeing the benefits. They minimise the chances of losing client data and avoid the subsequent embarrassing loss of trust in their brand along with the fines from regulatory bodies and any potential poor publicity.

Additionally, these services needn’t take up resources that organisations don’t have. Certified cyber security companies have developed the expertise to meet the growing demand.

Delve deeper into insider threats and explore our industry expertise

If you would like to explore more of this topic, you might wish to read our previous blog entitled ‘

To learn about Quorum Cyber’s capabilities in protecting organisations in specific industries, please visit the dedicated pages under Solutions -> Industries from the home page of our website.