4 Key Stereotypes Among Workers That Expose Businesses to Cyber Attacks

essidsolutions

With cybercriminals taking advantage of sophisticated techniques to bypass network defenses, lure targeted workers to download or share data, all employees must be vigilant against such tactics and should be trained accordingly. However, many cyber awareness programs fail to address deep-rooted beliefs and stereotypes around cybersecurity. Let’s look at common employees’ stereotypes that businesses can address through targeted training programs.

The tech industry is no stranger to deep-rooted stereotypes that persist, even though it has played a significant role in transforming society with technological disruptions and innovations. Existing beliefs and some new ones have also played a significant role in shaping how organizations secure their networks, devices and data and inculcate a culture of cyber accountability in their workforce. 

The avalanche of phishing scams in the past decade has buried the long-held notion that cybersecurity is only the responsibility of the IT department. Organizations have realized that an unsuspecting employee’s misplaced click can disrupt operations for months or result in a ransom demand. 

Cyber hygiene is itself based on a set of principles that all employees are expected to follow, but a lack of clarity about how the cybercriminals work could hinder defense. Organizations need to recognize these fallacies at the outset and deliver awareness training to weed out stereotypes. 

Let’s look at some existing stereotypes that put organizations’ cybersecurity readiness at risk.

See More: How To Bolster Cybersecurity Practices for Employees

Common Stereotypes Affecting Organizations’ Cybersecurity Readiness

The cloud is secure

It is a known fact that most organizations choose the cloud over on-premise servers to store and process data. The ability of the cloud to store unlimited data and offer cost savings on storage are significant factors driving the adoption. However, the sudden over-reliance on the cloud has given birth to a notion among corporate workers that cloud services are secure by design, and there’s not much they need to do to secure their data. 

According to a Trend Micro surveyOpens a new window from December, while 88% of global organizations adopted cloud services, 97% of decision-makers believed their cloud service provider (CSP) offered sufficient data protection. The result: Only 55% of organizations deployed third-party tools to secure their cloud environments.

“It’s a very positive sign that a majority of organizations around the world are embracing digital transformation and adopting the cloud. But the survey findings also highlight the challenges remaining with understanding security in the cloud. Cloud adoption is not a ‘set it and forget it’ process, but takes ongoing management and strategic configuration to make the best security decisions for your business,” said Mark Nunnikhoven, vice president of cloud research for Trend Micro. 

Considering the risk at hand, organizations should ensure all employees are trained to understand cloud security policies and practices. By understanding the security risks associated with data stored in the cloud, IT decision-makers can use automated security tools such as network protection, cloud security posture management, and cloud access security broker tools. Offering cloud security training can also enable organizations to reduce instances of misconfigurations.

See More: Cybersecurity Awareness Month: 25 Security Terms You Should Be Familiar With

My Mac is more secure than your Windows PC

Another major misconception is that MacOS devices are more secure and less vulnerable to malware infections when compared to devices that run Windows OS. Many experts believe this has to do with an ad campaign by Apple stating that MacOS devices don’t get a PC virus. Steven Hope, CEO and co-founder of Authlogics, says this immunity illusion, unfortunately, breeds complacency for many Mac users.

“There is a common misconception that viruses and malware only exist on Windows and that somehow macOS is immune to them. While the somewhat misleading Apple ad campaign implying that a Mac can’t get a PC virus is true, they can get infected with a virus/malware designed for macOS.

“There are malicious apps and web sites that are designed to steal your data or logon information; Apple and Google regularly remove apps from their app stores for this reason. It is important to remember that even a MacBook needs a password and password security is just as important even if you aren’t using Windows,” he says.

According to IT consultancy firm Pensar, a major reason Macs are considered less vulnerable than Windows PCs is that over 88% of desktops run Windows and Macs have a share of less than 10%. Attacking Windows OS allows hackers to target many more users and spread malware quickly among a vast proportion of devices. 

“Macs aren’t inherently more secure than PCs, there are just less of them to target in the wild. Propagating the myth that Macs are immune to viruses or resistant to attack is dangerous, particularly considering that Apple’s sales figures are strong and the number of active Mac users is over 100 million and counting,” the firm saidOpens a new window .

My VPN service protects my data and privacy

For over two decades, VPNs have been used widely to secure Internet data as they provide an impenetrable mask that offers both security and anonymity.  They enable people to work from remote locations, browse safely even when using public Wi-Fi, avoid geographical limitations when accessing online services like Netflix, avoid bandwidth throttling by ISPs, and in the case of VPNs with no-log policies, avoid tracking through DPI (Deep packet inspection) or through port numbers. In the hybrid work era, it is natural for employees to gravitate to leading VPN solutions to secure online communications and data.

However, relying solely on VPNs can also be a dangerous notion as today’s cybercriminals are adept enough to punch through the holes despite recent advancements in VPN technology.  Of late, VPN products offered by well-known companies like Fortinet, Cisco, NordVPN, Pulse Secure, and D-Link have been found featuring security vulnerabilities that enabled malicious actors to carry out various kinds of hacking attacks. According to managed security service provider Nuspire, attacks against Fortinet’s SSL-VPN and Pulse Connect Secure VPN rose by 1,916% and 1,527%, respectively, in Q1 2021. Threat actors carried out these attacks to infiltrate networks, exfiltrate information, and deploy ransomware. 

To avoid becoming a victim of security flaws in leading VPN solutions, organizations should implement zero-trust network access (ZTNA), whose adoption has seen tremendous growth in recent years. Gartner says that ZTNA improves flexibility, agility and scalability, enabling digital ecosystems to work without exposing services directly to the Internet, reducing risks of distributed denial of service attacks.

It also recommends that organizations should use ZTNA for application-level access only after sufficient user and authentication. ZTNA provides adaptive, identity-aware, precision access and introduces clientless identity and device-aware access to enable unmanaged devices to access applications securely.

See More: Beyond the Zero Trust Hype:  Is VPN Responsible for the Big Switch?

I can spot phishing texts and emails with ease

A misconception harbored by many corporate workers is that today’s phishers aren’t smart enough to lure them with fake emails or texts and they can easily spot spoofing or business email compromise tactics. Considering the number of emails that arrive at the average worker’s inbox every day, is it possible for them to remain attentive at all times?

A recent survey conducted by cybersecurity solutions provider Ivanti revealed that 74% of organizations across Europe fell victim to phishing attacks after the pandemic set in. This astounding success can be attributed to the fact that phishing has now become a well-oiled industry. In September, Microsoft discoveredOpens a new window the existence of a phishing-as-a-service provider called BulletProofLink that sold phishing kits, email templates, hosting, and automated services at a relatively low cost to cybercriminals.

“With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators,” Microsoft said in a blog post. The average corporate worker is simply not equipped enough to defend against the scale and complexity of current phishing operations.

Defending against sophisticated phishing attacks requires a multi-pronged approach. Training employees once in a while to tick the cybersecurity boxes won’t work. Training programs have to be constantly updated to include the latest phishing tricks and tactics employed by cybercriminals, and employees should be made to undergo practical phishing tests to test their preparedness. The use of email security solutions and multi-factor authentication can also help plug the gaps in case hackers exploit the human factor.

Cybersecurity awareness training can help bust ill-informed stereotypes

Employee beliefs and stereotypes are often influenced by organizational culture, where businesses are located, and how the leadership wants them to function. In the digital age, the adoption of technologies and devices has to be accompanied by an understanding of associated risks and challenges. Unfortunately, cyber hygiene or employee training on cybersecurity has not kept pace with the march of technology in recent years. Considering the potential impact of a successful cyberattack, organizations must lose no time to introduce cybersecurity awareness training to prepare their employees for future challenges.

“Organizations need to be educating their workforce on cybersecurity, as Mimecast research shows that 50% of employees still open attachments from unknown sources, and 40% are fooled by an email pretending to be from a member of their organization every week,” says Jonathan Miles, head of strategic intelligence and security research at Mimecast.

“To defend and mitigate the threats, it is key that organizations build a layered approach to cybersecurity resilience, including cybersecurity responsibility and awareness embedded deeply throughout all sectors of organizational culture. Offering regular remote working cybersecurity awareness training to employees will be crucial, with organizations recommended to take the initiative on keeping their employees informed about current and prevailing threats,” he adds.

Do you think cybersecurity training sessions mostly fail to change existing employee beliefs and practices? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA