- Unsuspecting workers open unknown files and click on questionable links when snared by cybercriminals, according to new data from Positive Technologies (PT). In the report, "Social Engineering: How the Human Factor Puts Your Company at Risk," PT tested the success rate of certain hacking attempts by imitating hackers' behavior, which entailed sending employees emails with links to websites, attachments and password entry forms.
- Test results show that employees not only routinely open unknown files and click on suspicious links, but also correspond with attackers. Although most employees (88%) work outside of IT, 3% of security specialists also fell for the hacking tricks.
- PT said cybercriminals use fear, hope, greed and other emotions to make their attacks seem more authentic. They use subject lines, such as "list of employees to be fired” or "annual bonuses" to elicit responses. To reduce the risk of social engineering attacks, PT said employers should hold regular training sessions that test how well employees follow security principles.
PT's testing shows how easily unsuspecting employees can be cajoled into going on fake websites or giving away passwords. Employees are, for better or worse, your organization's first line of defense against cybercriminals; the right training is key. As a 2017 Harvard Business Review study shows, hackers don't need complex technical skills to break into an organization's network; they only need trusting employees who will lower their guard and take the bait.
One important note: a Willis Towers Watson study found that 90% of cyber risks were the result of human error and 66% were caused by employees’ negligence or maliciousness. Only 18% of cyber breaches came from external sources. Employers need to be as vigilant about securing their systems from internal breaches as well as external causes.
HR can partner with IT to draft security rules for the workplace that are easy to understand and follow. Once employees are aware of the many schemes and tactics hackers use to get at vital information, employers can create a more solid cybersecurity strategy. This increased protection also applies to customers, vendors and others who correspond with an organization.