Earlier this year, President Biden delivered a stern and urgent warning to the business community in response to evolving intelligence that Russia could be planning cyberattacks against critical U.S. infrastructure: “If you have not already done so… harden your cyber defenses immediately.” FBI Director Christopher Wray also echoed this warning and added that both China and Russia have been aggressively seeking to find and exploit vulnerabilities to gain access to American companies.
A rise in cyber incidents
Cybercrime against private-sector targets has already been exploding. The recent 2021 FBI Internet Crime Report discussed “an unprecedented increase in cyberattacks and malicious cyber activity,” with close to 850,000 internet crime complaints reported last year — an 81% jump from 2019. Ransomware attacks alone increased almost 93% in 2021, with more than half of those incidents occurring in North America.
Looking at some of the recent high-profile ransomware incidents over the past year perpetrated by Russia affiliated hacker groups, like the attack on the Colonial Pipeline and the world’s largest meat processor JBS, security leaders may be seeing a harbinger of what’s to come. The ongoing war in Ukraine will only increase this risk, especially as sanctions continue to increase on Russia.
Companies continue to spend a lot of time, money and resources securing their enterprise systems over the years, doing everything from strengthening firewalls and endpoints to enhancing user activity monitoring and installing multi-step data encryption and password protection. So why, after all these investments in security, are companies still at great risk of cyberattacks?
Insider threats to an organization
One often and easily overlooked vulnerability is people — those inside the organization who may be willing to use their access for personal gain or who are vulnerable to external coercion to circumvent company protections. In all cases, the negative impact to the organization can be significant, but it can also be avoided.
Employees are an easy entry point target for hackers. According to 2021 cyber statistics, 92% of malware was delivered by email and 90% of data breaches were the result of phishing. The risk of a data breach is compounded by workers who, despite their training, are distracted by emergent negative life events or other external stressors and still click the link.
Beyond the risks of spear phishing, hackers are taking an increasingly direct approach to get employees to upload ransomware. Hackers have approached 65% of executives or their employees to assist in ransomware attacks. Malicious actors identify those who are struggling financially or may otherwise be receptive to a large amount of cash. It has been said that anything is for sale for the right price, and that includes an organization’s most trusted employees. Bribes can turn trusted employees into malicious insiders who secretly help launch a ransomware attack against an organization. This insider threat is every bit as dangerous as an external cyberattack.
Protecting against internal cyber threats
Hardening company defenses starts with cybersecurity training on how to avoid making potentially compromising mistakes both in and out of the physical workplace. Training should include being able to identify a phishing scam and learning what to do in the event of a compromise. This training must be reinforced with proactive employee outreach to support those who are struggling and are at a high risk of being distracted.
In tandem with training and monitoring, there must be the ability for employees to anonymously report suspicious activity or encounters in the workplace, especially if they are asked to participate. Available platforms that include an anonymous self- and peer-reporting feature also create a critical paper trail. In instances where there are multiple reports of suspicious behavior from an employee, contractor, or even client — especially if that behavior persists after intervention — leadership can use that evidence as grounds for whatever action must come next.
The government is getting on board with a reporting approach: President Biden just signed a law requiring companies to alert the Cybersecurity and Infrastructure Security Agency within 72 hours of a cyberattack and report ransom payments in 24 hours. These kinds of policies can give security leaders greater insight into the nature of the threats before them.
Finally, having a continuous behavioral monitoring system in place can help identify anomalous employee digital behavior, whether it be web browsing, emails or social media posts. This allows management to address a potential risk before it causes irreparable financial and/or reputational harm to the organization. Organizations must also expand their risk surface to include the employees who are struggling financially.
There is an oft-used phrase that a company’s greatest asset is its people. To stay true to that maxim, organizations need to do more to incorporate that asset into their overall risk management strategy. As cybercriminals become more sophisticated and brazen, the old way of just fortifying networks is no longer enough.