Your Greatest Threat of Being Hacked: Your Employees (And How to Avoid Having a 17-Year-Old Outwit You)

Just a few months ago, a 17-year-old hacker bypassed the cybersecurity protections of one of the largest video game manufacturers, Rockstar Games, the creator of Grand Theft Auto 6. Not long after, a 90-minute video of the not-yet-released game was posted on social media. 

Just days earlier, the same teenager single-handedly penetrated Uber’s security protections using a similar technique. 

What was the secret to his success, considering his targets were tech-savvy behemoths? The youthful transgressor used an increasingly successful technique to obtain the critical information necessary to gain access: a method called social engineering. In short, he preyed on the trust of employees. 

As long as there have been security precautions, there have been ways our trust has been abused. “My hands are full. Can you hold that door for me?” “Can I use your WiFi?” “Mind if I plug in and charge my phone?” 

We often let our human inclination to trust others overcome all the reasons we shouldn’t. And cybercriminals know it. They appeal to our hearts; they use aliases, appearing to be our trusted confidantes. And by targeting your employees – the weakest security link in your entire organization – a clever actor can often bypass nearly every security measure that exists. Cybersecurity attacks have now become the fastest-growing form of crime globally, and social engineering tops the methods of attack.

Fortunately, there are some measures your organization can adopt to protect from these liabilities. Here are the top five.

1.     Understand the Vulnerability

First and foremost, we must appreciate the power and impenetrability of the phrase “I need your help.” Whether it comes from a loved one or a boss, the easiest way to disarm most of us is to be asked to help. This is the root of every one of the above examples and a key component of social engineering.

It is human nature to bypass reason when someone says they need help. Most of us will find a way to legitimize the request, perhaps relating the situation to a time when we went through something similar. If someone we know sends a message, “I need your help with something ASAP,” we will often attempt to put it in context. We consider whether we would make a similar request in the situation, and we compare it to previous requests. 

If it’s an uncommon request, we might go so far as to confirm that the colleague’s e-mail or contact information is authentic. And most of the time, once we “verify” that person’s identity, we start to rationalize the request and do our best to comply. Few of us will ever call the colleague to further confirm it is a legitimate request. Businesses would grind to a halt if verbal confirmations had to accompany urgent e-mails and texts.

Unfortunately, conniving cybercriminals know this. They are experts at spoofing e-mails and phone numbers, as well as accounts on every digital platform. They are also skilled at asking for help and extracting sympathy when needed. Cybercriminals know it’s human nature to want to help others, and they exploit these types of opportunities. Understanding this vulnerability that we inherently carry – the sincere and sometimes irrational interest we have in helping others – helps us beware of what cybercriminals already know.

2.     Anticipate Attackers

The next thing we can do is anticipate what attackers might do. Who has access to a company credit card or checking account? Who has administrative privileges? Who is a decision-maker or is close/influential to a decision-maker? You should expect a cybercriminal to identify these people and target them first. This is called “whale hunting.” Criminals look for the biggest catches in an organization and target them since they often come with the biggest rewards and greatest access.

Each of these “whales” will likely have a unique set of vulnerabilities, as well. The CEO may have access to the banking system but may not have administrative access to the network. An IT director, on the other hand, will likely have the highest levels of admin access, and minimal financial account access. When you can identify the unique vulnerability of each key employee, you can better prepare for and anticipate what attackers may try to do. This is important for each employee to understand, as well.

3.     Educate Employees

Once vulnerabilities are identified, it is easier to focus on employee preparedness. Certain employees, such as executives, may be better suited for a high-level cybersecurity education. This could involve a briefing on the latest trends in e-mail scams, how to spot suspicious employee requests, and what precautions should be taken in given scenarios. 

The IT department will benefit from a more detailed education. In our training programs catered to technologically inclined employees, we share tips on best cybersecurity practices, password and user policies, and overall IT security policies. We also review policies such as those relating to bring-your-own-devices, multi-factor authentication, network and WiFi access, and remote work configurations. 

We also encourage all employees to undergo at least a foundational level of cybersecurity training, and it is important to have that training done as part of the onboarding process. Cybercriminals look for the weakest link, and often it is the newest, most naïve employee. 

Finally, all employees should undergo routine re-training, where recent social engineering and cybersecurity trends are discussed, and employees share any experiences they may have witnessed among themselves. 

4.     Consider Changes

The worst cybersecurity policy is one that doesn’t change with time. A company’s policies and procedures should be regularly reviewed in light of trending cyberattacks, and employee experiences should be tracked and recorded so that security measures can adapt, and employee training is updated to reflect current threats. 

Consider quarterly reviews of your cybersecurity practices and policies, and confirm that employees are trained in them and getting refreshers on a regular (we suggest quarterly) basis. Then monitor and update the policies as needed to keep up with the latest types of threats. Just as you would patch software security holes, you should also modify and patch your own practices and policies, including employee policies.

5.     Engage Experts

Finally, we encourage engaging an external assessment team that can review your current practices and provide insight as to what your organization might need to implement for optimal protection from future threats. IT departments and CTOs undoubtedly stay abreast of numerous issues that relate to their organization’s security, but it is nearly impossible to stay on top of everything – particularly at the pace of today’s advancements and cyber threat evolutions. Hiring a diversified team of cybersecurity experts that can assess your network and develop a customized plan for you offers your organization the greatest protection. 

Of course, be wary of the assessment teams that exist solely to recommend products. You’ll inevitably end up needing to purchase their products. We suggest finding a team whose purpose is to provide government-level assessments and provide multi-faceted recommendations. A great repository of candidates trained to the highest cybersecurity standards of the DoD can be found at the Cyber-AB Marketplace. You’ll find us there, and if you mention this blog when you contact us, we will be happy to provide a free initial consultation.


More Posts

CMMC 2.1 — What We Know Now

Some of you have been following the evolving CMMC process closely. Others have intentionally avoided thinking about it, or started seeking therapy. Either way, let us borrow a moment of

Send Us A Message