Times are changing. Attacks are becoming much more sophisticated and hackers are exploiting human vulnerabilities to gain access to enterprise networks and private information. Employees and end users want to help protect your company's sensitive data, we just need to motivate them as to why they should care. By educating your employees on security best practices and current human vulnerabilities, you can take a step forward to ensuring you're not a part of the many organizations that are breached.
Forty-three percent of companies experienced a data breach in the past year. This number is staggering, especially when you consider the amount of organizations that could have been breached without even knowing or without properly reporting it. It's impossible to defend against every threat out there, but what is possible is setting up the best defense mechanisms you can to decrease your chances exponentially. This means more than just setting up a bunch of hardware with blinking lights and sirens. It means taking a proactive approach to securing your organization's front line-the humans.
When looking at today's threat landscape, humans are proving to be one of the most vulnerable links in the information security chain. The problem with this is that so many times it is a human decision, not a technological one, which allows the threat to come to fruition. If one chooses not to take secure measures, the vulnerability is human, not technological.
From sending sensitive information over public wireless connections to clicking on malicious links in phishing emails, expensive mistakes are being made every day. There is no end-all solution that will thwart all of these attacks, but there are controls, such as taking steps to educate users, which can be put in place to increase resiliency.
The purpose of this paper is to help organizations of all sizes understand the current threat landscape as it pertains to human vulnerabilities, and how to take the first steps toward mitigating them. By the conclusion of this paper, you should be able to:
- Understand what attack vectors are being used in attempts to breach your network or steal information
- Recognize what employee behaviors may be putting your organization at risk
- Develop a strategy to better inform your users of these threats
Understanding Threats and Attack Vectors
An attack vector is the approach used to assault a computer system or network. A fancy way of saying "method or type of attack," the term may refer to a variety of vulnerabilities. There are countless ways in which an employee's weaknesses can be exploited by attackers. Understanding where the vulnerabilities and dangers lie is the first step in creating a successful mitigation strategy. The following areas are pain points experienced by organizations across all industries.
By definition, phishing is the practice of using fraudulent emails and copies of legitimate websites to extract private information and data from computer users for illegal or malicious reasons. We've all gotten them before, but have we been able to identify these scams? Every email user at some point in time will get some sort of phishing email, it's nearly guaranteed, and our chances are rising each day.
So, what is the end goal of attackers who are carrying out phishing attacks? People phish in order to either obtain information or to drop malware that can be deployed instantly or at a later time. That "or later" part is very important because you may not always see the consequences or effects immediately, it may take a good while. At the end of the day, we're dealing with social engineering through electronic delivery. The more creative our electronics capabilities get, the more opportunities bad people will take to exploit those new technologies.