Everybody makes mistakes, but the missteps of some can prove more costly than others.
Phishing attacks target IT pros more than any other members of an organization, surpassing even executive staff. In fact, 47% of IT professionals say that they have fallen for a phishing attack, according to an Ivanti report that surveyed 1,005 tech workers globally.
It’s not surprising that bad actors target IT departments, according to Ed Amoroso, founder and CEO of TAG Cyber and distinguished research professor at the Tandon School of Engineering at NYU.
“IT professionals have all the privileges and access to important things,” Amoroso said. “So I can't think of anybody better to target than the folks who manage IT.”
In the spirit of Cybersecurity Awareness Month, security experts provided four tips to protect IT employees from phishing attacks:
- Add security speed bumps such as multifactor authentication or external email warnings.
- Make security a forethought and part of the process, not an afterthought.
- Encourage employees to work with security teams to find secure alternatives to shadow IT.
- Make security personally relatable for employees.
One way that businesses can celebrate this month is by making cybersecurity relatable to employees.
If organizations only emphasize cybersecurity at work, it turns into something that employees can “turn on when they walk in the door, and then turn off when they leave,” Chris Novak, managing director of Verizon Threat Research Advisory Center, said.
Sometimes, employees just forget to hit the on switch. To alter this, Novak suggests businesses relate the idea of protecting company data to protecting individual data such as social security numbers or banking information.
“They don’t think of that as security, but that is how you secure your own personal data,” Novak said. “If you can get people to have that level of awareness… now when they go into the office and someone asks them for something that causes them to have suspicion or concern, it’s going to be because it’s something that they’re naturally thinking of.”
Cyber missteps can be costly. This year the average cost of a data breach surpassed $4.4 million in the U.S., according to data from IBM.
IT security mishaps often boil down to a single common denominator: human error. (And, in some cases, threat actors are particularly good at their jobs, as seen in the SolarWind's compromise).
Even those with a lot of security training can be misled by a spear phishing attack due to the amount of knowledge the hacker has, David Strauss, co-founder and CTO at Pantheon, said.
Spear phishing, when a threat actor targets a particular audience, is rampant. Strauss has seen plenty of attempts at his company.
It is quite common at Pantheon for employees to receive a message from a person claiming to be the CEO. The person can know everything from the name of the CEO to the employee’s name and title. The messages usually involve a request of some sort so that the threat actor can gain access.
Mitigating the human error
More than 4 in 5 of breaches involved the human element, including social attacks, errors and misuse, according to a report from Verizon that analyzed more than 23,000 incidents.
IT professionals, just like other business employees, are busy throughout the day going from one task to the next.
Whether it is churning through a backlog of unread emails or trying to corral a surplus of tabs, employees going through the motions present opportunities for bad actors to exploit.
One way to combat this is by adding speed bumps to slow employees down. While at first glance it might seem counterintuitive, it is important to remember that security is not always convenient. Taking a few more seconds than normal to do a task could protect the company from losing data, customers and money.
“Most people if they’re forced to stop and think about an action that might be risky, they usually catch that it’s risky and they stop,” Novak said.
Examples of speed bumps range from multifactor authentication to external email warnings.
For phishing emails, in particular, a lot of organizations have a system where when a link is clicked it requires you to go through an internal company portal pop-up screen where the user must confirm that they want to go to the site before sending the user to the link, according to Novak.
“So you might get an email, and it might say, ‘hey, check out this news article,’ and there'll be a link,” Novak said. “If you were to click on that link, it doesn't take you right to that news site, it takes you first to an internal site that will say, ‘hey, we just want to make sure you realize this is going to an external site.’”
Creating a culture of security within IT
Businesses can implement strategies, training and tricks to optimize the security of their organization, but if the employees at the company do not believe security is a priority, it is not super helpful.
One of the biggest areas of improvement for organizations is changing their security mindset from an afterthought to a forethought, Novak said.
This means that instead of building an application or platform and then asking security to review it and retrofit it, include the security team in the process from the start.
The change in mindset can also work to limit shadow IT. Instead of employees secretly using unauthorized systems, applications or devices for work, they would ask the security team to help them secure it or find a more secure alternative, according to Amoroso.