Is the Weakest Link in Cybersecurity Becoming Even Weaker?

\ It's said time and again that humans are the weakest link in security. No matter what cloud controls you put up, firewalls you configure, or CI/CD integrity checks you do, more often than not, it takes compromising a single human in your organization to compromise it all and lead to a cyber attack. In fact, Cybint statistics suggest that 95% of cybersecurity breaches are caused by human error.

\ Verizon’s 2023 Data Breach Investigations Report (DBIR) details examples of human errors that lead to data breaches. In fact, 74% of incidents include some human element, such as clicking on a phishing link.

\ Battling these attacks has always been top of mind for CISOs and security leaders across the globe, and we resort to security awareness to educate people and train them to identify these attacks. However, is what we have today enough?

\ Clearly not. Despite awareness training, we still see a rise in such attacks, even at prominent organisations such as Microsoft, TMobile, UnitedHealth, etc, in just this year.

\ But you may ask, has this always been the case? I know human risk exists; it has existed for over a decade. Why has it become a burning concern?

\ Here's what has changed over the last decade and why the situation is more alarming and deserves priority now more than ever.

\

\

Social engineering has always relied on creating deceptions, e.g., hackers impersonating individuals in authority and tricking people into trusting them. The latest AI advancements and deepfakes have made it easier for hackers to create even more deceiving personas. In fact, a finance worker paid out. $25 million after video call with deepfake ‘chief financial officer’

\ Bank call centers are increasingly inundated with deepfake voice clone calls attempting to access customer accounts, and AI-fueled fraud has become the leading security concern for the majority of banks as fraudsters submit AI-altered documents to open fake accounts. But other than increasing the effectiveness of these attacks multi-fold,

\

AI has reduced operational costs, allowing hackers to conduct large-scale personalized campaigns.

\

\ Do you know how many data breaches happened in August 2024 alone? Billions of public records have already been leaked online within this month. All of this data ends up in hacker feeds, triggering a new wave of targeted phishing attacks. A lot of our data is also available with data brokers to be resold by several resellers and lead generation applications. And a lot of it is what we have put online ourselves on several social media platforms. All this information comes in handy for hackers to create fake personas and run a hyper-personalized social engineering attack.

\

\ Take a breath and count the number of communication apps you are on. Gone are the days when email was the sole medium of communication for a company. Today, employees use a variety of communication tools such as Slack, Zoom, Google Meet, WhatsApp, voice calls, social media chat, and so on. The increased sources of communication, in turn, increase the attack surface and risk exposure. A hacker can sneak into a conversation via any of these channels and attempt a hack.

\

\ Do you know Gen Z is over three times more likely to be duped by online fraud compared to baby boomers?

Gen Z engages with technology more than any other generation, averaging at least four hours daily on social media. With a wide array of apps, from Snapchat to Instagram, they eagerly share every moment of their lives. However, this deep interconnectedness also exposes them to various threats, such as phishing scams, identity theft, and romance scams. The extensive time spent online inevitably raises their vulnerability to falling into online traps.

\

\ Working from home setup has added additional dynamics to this scenario. For many employees, it has blurred the boundary between work devices and personal devices. Many people end up using work devices for personal reasons, inadvertently increasing the risk. Research shows that remote workers are also more easily distracted and more likely to click on suspicious links. When you have not met in person or are not familiar with the conversational style of the other person, it becomes easier for hackers to dupe you into believing the email sent while impersonating the colleague is genuine.

\ The way we organize work, the way we are interconnected today, and the instantaneous and proliferate ways of reaching out to us, with significant information about us being online, have made these attacks more powerful. We need better defenses. Defenses that are in line with the modern-day world and that can provide us holistic coverage.

\ Gone are the days when the security of an organization could be handled separately from the security of an individual. A cyber risk to one individual, whether in a personal or professional realm, is a risk to the organization, and it's time we start looking at this in a holistic manner.

Curious to know your personal risk? The free scan is available for seven days. Try it today and share it with your fellow colleagues. We'll scan the deep trenches of the web and share with you the information that you may not be aware the hackers know of.

\ See you in the next post!

Till then, stay safe.

\ \ \ \