Cybercriminals are now frequently targeting the weak links in an organisation’s security framework – employees, according to a new study.

Proofpoint’s Protecting People study, published today, focuses on attacks that target people rather than technology. The security firm analysed more than 600 million emails as part of its research, as well as 7 million mobile apps and hundreds of thousands of social media accounts.

As social engineering and phishing techniques are growing in popularity, questions must be raised over how organisations can ensure adequate cyber hygiene.

Employees Under Siege

Employees are becoming increasingly exposed through fraudulent email and social media scams, said email security firm Proofpoint. Government agencies and retailers have witnessed a staggering increase in email fraud attempts this quarter, with attacks on companies rising 91% and 84% with government agencies.

Per year, the increased number of attacks has also risen. Attacks against government agencies have increased five-fold over the last 12-months, while education sector attacks have more than tripled.

Those working in operations and production capacities are at significant risk, according to the study. Around 23% of people in these areas have been exposed to malware or credential phishing attacks, while the number of email fraud attacks per targeted company in this area also rose by around 85%.

Lower-level management workers are also increasingly exposed, with 60% of sophisticated malware and phishing attacks focused on them. Executives and high-level management, despite accounting for a smaller portion of the workforce, are targeted the most.

Lisa Forte, of Red Goat Cyber, said that social engineering – and phishing in particular – is one of the fastest growing attack vectors in 2018. Rather than invest time in bypassing technical controls, attacking staff makes for a far easier point of entry.

“Social engineering and phishing, in particular, is one of the fastest growing attack vectors,” she said. “The reason for this is that the majority of attackers are running a business, and, like all of us they need to see a good return on investment.

“Spending days, weeks or months trying to bypass a company’s technical controls reduces that ROI. Going after their staff can be far quicker.”

The number of malicious emails soared 36% compared to the previous quarter as the availability and sophistication of email payloads grows. Ransomware has also seen a resurgence during this quarter, accounting for more than 10% of the total malicious email volume.

This marks a concerning comeback for this attack method. In 2017, ransomware appeared to be in vogue, yet in the early stages of 2018, it had fallen.

Social Media

Social media is also placing us at risk from phishing attacks or similar techniques. Links sent via social media networks such as Facebook or Twitter rose by around 30% this quarter, which similarly marks a resurgence in this method.

Attackers are now finding ways to circumvent automated remediation tools that have been put in place by major social media companies, which is leaving users at great risk. In order to ensure that staff are not vulnerable, Forte said that stringent training and security protocols must be implemented.

“Training is the key social engineering defence,” Forte said.”Additionally, companies can get social engineering tests carried out for all four of the main attacks including phishing.”

She added: “Companies not only need to create a security culture but also need to ensure that staff feel comfortable reporting mistakes. If someone clicks on a malicious link it is far better to know now than in eight months’ time. Don’t punish staff for mistakes, reward them for reporting them”

Like this: Like Loading...