Companies are pouring more resources into reducing security risk within their organizations, specifically among employees. Billions of dollars are spent each year on training and other preventative measures, however data breaches and other cyber hacks still occur largely due to human error.
One explanation for this is that companies have not adapted security measures and training as quickly as cyber attackers have evolved their attack strategies. Cybercriminals target employees based on a number of factors, and manipulate their attack strategies based on these to increase their chances of success.
Here are four major factors that play into how and who cybercriminals target.
Employee Responsibilities
Cybercriminals have learned how to tailor their attacks by determining employee departments, roles and responsibilities. They gather this information through platforms that offer this information readily, like LinkedIn or even the company website. These details are often displayed on these sites and can easily be abused for attacks.
When determining security training for employees, it should be tailored for individual roles and responsibilities, instead of using the same training and structure for each person. Employees who work in finance would come across attacks that are more like "business email attacks like wire transfer fraud", while sales teams can usually have access to personal information on a large scale, and should be trained on how to avoid data loss.
In addition to tailoring training depending on job function, organizations can also organize training based on priority, like which employees have access to sensitive information or are most likely to encounter attacks.
Employee Tenure
Another factor that cybercriminals use to tailor their attacks is how long an employee has been with an organization. Newer employees are usually the first that are singled out and targeted. Again, cybercriminals utilize social media and similar platforms since people will usually post about a new job and add it to their profile, like on LinkedIn.
New employees need time to get acclimated to their new position and organization, so it also takes time for them to recognize abnormal requests or messages. Some cybercriminals will pretend to be IT team members or even customer service representatives.
Other than specifically training for responsibilities and role, organizations should factor in what security training new employees will need so that they can quickly recognize normal and abnormal requests and messages.
Remote or On-Site Work
Cyber security was a major challenge of remote work once organizations figured out how to mass transition everyone during the pandemic this past year. Now that employees are returning to work, methods had to change as employees adapt to a hybrid approach or as they have both on-site and remote workers. Cybercriminals will definitely continue to attack remote workers and will use hybrid environment uncertainty to their advantage (source).
Distraction is the main factor of cyber security risk while working from home, as employees tend to get distracted more while working from and have been shown to be more likely to fall for a phishing scam (source). Employees tend to make more mistakes, such as clicking on suspicious links from email senders, usually posing as an employee from their organization. When you aren't working onsite with other employees, it can be more difficult and complicated to verify whether a colleague has actually sent a request and if it is legitimate.
Organizations should of course tailor training to whether employees work remotely, on-site or in a hybrid environment.
Human Error Risk
One of the biggest factors that play into employee cyber security risk is simply human error. Security training will focus on how to identify and avoid attacks, breaches and scams, but it rarely focuses on human errors that can occur while performing everyday tasks. Such as simply sending an email to the wrong person - all it takes is one email with sensitive information to the wrong person to make it easy for cybercriminals.
Including everyday errors that can occur throughout the work day in trainings will encourage employees to improve their behavior over time and to become very cautious when dealing with any sensitive information. Addressing this can decrease employee security risks.
There are other factors that can play into how and when an employee can be targeted and exploited by cybercriminals, but by simply creating tailored training programs for individual employees, organizations can drastically decrease opportunities for attack.