Cyber criminals are continuously trying to breach your organization’s network infrastructure and defensive walls; they are looking for just one successful attempt to harm organization’s information in many ways. Often, in many cases, that flaw isn’t in the system or security solution, but generated by employee itself.
Employees only need to download a bad attachment, click a malicious link, or give attackers one piece of information they need to break in. "Companies need to realize if their employees are picking up the phone and answering emails, they make security decisions every day that can affect the company," says Michele Fincher, COO for Social-Engineer, Inc.
So the question is, what are the negligence’s that favor the attackers in breaching the defense systems, and how it can be prevented? Here are some potential ways from which hackers are trying to target employees:
Each and every social networking website possesses cyber security threat, but there are some websites that carry more risk than others. Bryan Harris, VP of cyber research and development at SAS says, “LinkedIn is one of the biggest sources of wealth for the bad guys, it’s a tough social media platform because it has this dual nature: you want to expand your network and improve your career, but you're also increasing the attack surface by not knowing who you're connecting with”.
With each LinkedIn request, employees face a choice. If they accept, they could benefit from a new contact or increase their attack surface by letting an unknown party access their professional network. Twitter, like LinkedIn, comes with a great risk of social engineering because there is a lower barrier to entry for attackers. Facebook and Snapchat still pose challenges, Harris explains, but people are less likely to accept requests from people they haven't met in person. On Twitter and LinkedIn, people connect based on mutual interests and professional connections. Attackers can send direct messages in ways that seem legitimate but aren't.
Of course, attackers search outside social networks to collect intelligence on potential victims. Your corporate website may be helping inform future breaches.
Even if they don't know the avenue of attack, if they generate a lot of intelligence via open-source means, they're likely to target a specific company because they have more knowledge of their employees.
Many organizations post chats of their leadership, boards of directors, and oftentimes additional staff teams on their websites, adds Harris. If an attacker knows the email pattern for your company -- and they only need one address to do so they can easily figure out your executives' contact information and target them with spam.
Hackers may use phishing scams for a foolproof ploy: They call the victim to introduce themselves and offer to send additional information in a follow-up email, which they use to launch a phishing attack.
It's tough to defend against these scams because you can't tell employees to ignore their phones. However, you can tell employees to avoid clicking links or downloading attachments from unverified senders, and to be aware when questions become too personal for the type of person on the other end of the line.
Additionally, it is recommended to define access level for each type of employee in order to prevent any major loss in case of the successful hacking attempt. However, implementing endpoint security tools and applications should be considered. Moreover, educating employees regarding potential threats and attacker’s tricks is the most effective way to overcome such threats. So, awareness program should be on top of to-do list of an organization.