AMATAS welcomed October with CISA's Cybersecurity Awareness Month. 2022 is dedicated to preventing social engineering by focusing on organizations' single most vulnerable factor.  

"See Yourself In Cyber" highlights that even though achieving full cybersecurity may at times seem "complex" and challenging, it really comes down to the role played by the individual. 

In the past half a decade, the number of cybercrimes against various industries has skyrocketed. Fundamental to society institutions are becoming targets with breaches happening in various sectors from education, healthcare, finance, and manufacturing, to even worldwide government institutions. The utopia - where peace, balance, and security persist - is long-lost within the digital space.  

No industry is safe anymore

But on the upside, organizations are starting to and investing in adequate security training and managed security awareness training to elevate and strengthen the role of the individual. Thus building an "it comes down to you" approach and mindset.  

Let's admit it - we all play crucial roles in protecting our organization's infrastructure and data. Even though we may not consider it as much, a single click could amount to substantial organizational losses. Both financial, client, and employee-wise. It's up to every single one of us to sustain digital security. 

The following article will look at some of the biggest causes of security breaches, focussing on the human factor as a vulnerability. Our list will follow a "cause and effect" pattern, with examples from the past decade to current times. 

Passwords: Questioning Strength, Confidentiality, and Storage 

You have the habit of constantly forgetting your work (and personal) passwords. That's why you either settle with the classic "123456" or a 12-number sequence, that includes your date of birth and the current year. Or perhaps decide to reuse the same password for all of your accounts. 

Well... a 2019 National Centre for Cyber Security report found that the one-to-six password remains the most popular in the world and that 45% of all users tend to use the same password to access all of their accounts. 

An even more alarming cyber study found that passwords, consisting of just 12 numbers, could be hacked within a mere 25 seconds. Organizations need to remind employees that longer, more complex user passwords (that are constantly updated) should be the norm. As password confidentiality is the first line of cybersecurity. Where a "sharing is caring" between colleagues approach just doesn't cut it out. 

Storage methods should also be addressed. While that sticky notes on your monitor or behind your keyboard may be part of your aesthetic, it certainly makes your organization more susceptible to vulnerabilities. Data breaches disturb long-term business growth, crumbling everything that has been built. Observe how password storage could serve as a gateway to malicious actors. 

During the 2017 Equifax breach, cyber hackers gained access to the personal information of 147 million users, by breaching a vulnerability within the system. Accessing the organization's servers, the bad actors quickly found client usernames and passwords, stored in plain text. 

Patching Security Vulnerabilities: Ready, Set, Update! 

With hybrid workplaces, organizations have become even more reliant on third-party software for their operations and communication (looking at you, Zoom, Teams, Slack). While software developers constantly patch possible vulnerabilities in a quick and efficient manner, there arises the question of company-wide updates. 

Rule of thumb - your employees and teams need to update their systems regularly. Ensuring that auto-updates are enabled is another way to protect your systems from this vulnerability. 

Malicious actors can use not regularly updated systems and devices as a Trojan horse to access your network and data. With ransomware and zero-day exploits on the rise, you need to be on the lookout by installing security updates - asap. 

Just last month, Apple released two patches to security vulnerabilities, that may have been exploited by potentially allowing malicious apps to overtake devices.  

Careless Data Handling  

Companies need to have clear, set rules and policies regarding one of their most valuable assets: data. Employees need to understand how to handle, transfer, save, and delete data to ensure security. Otherwise, their behavior could become one of the biggest organization-wide vulnerabilities. 

It is often they unintentionally send personal information to the wrong recipients or perhaps fail to include all contacts in BCC of their emails.  

In recent years, phishing schemes have targeted even more so organizations, with business email compromise (BEC) cases on the rise: where malicious hackers impersonate senders to extort data via bad files or links. Without proper security training, every organization can become defenseless against ransomware and phishing threats. 

In recent years, there have been many examples of such data breaches, including: 

  • 2016: Leoni AG, a wire and cable manufacturer, lost $44 million due to a devastating BEC attack 
  • 2019: Toyota Boshoku Corporation suffered a massive BEC attack that cost the company $37.3 million 
  • 2021: VC Firm Sequoia Capital was hacked due to a phishing scheme 
  • March 2022: During the Apple and Metadata breach, hackers pretended to be law enforcement officials to gain access to customer addresses, phone numbers, and IP addresses. 
  • August 2022: Messaging platform Twilio confirmed hackers, pretending to be the platform’s IT department, tricked an employee to grant them access to 125 users’ data  

Preventing Hackers From Piggybacking Into Systems 

So your dad's laptop has just crashed, and he needs to place his bet on the Celtics vs Hornets. Tricky question: should you or shouldn't you allow him to use your company-assigned computer? 

Never undermine the security controls installed and even better yet - understand the consequences of your actions. While placing his bet, your dad could unintentionally install harmful software, download a malicious file, or click on a link that allows hackers to access the device data. The list of how data integrity could be breached goes on and on. 

Another possibility for allowing unauthorized access to your organization is using coffee shops', airports, hotels, and other public venues' free Wi-Fi hotspots. Hackers could easily access your information, hijack your session, or log into company systems using your credentials.  

Security awareness: under the microscope 

Cybercriminals all know one thing. Humans are often the easiest-to-access link within an organization, that's susceptible to manipulation, wrong decision-making, and exploitation. 

The cyber threat has become just one click away: permitting unauthorized access to encrypt systems, compromise data, and perform DDoS attacks. But your employees don't need to be the weakest link. Our managed security awareness training is led by experienced cybersecurity professionals, who take the time to understand individual limitations within the digital space. 

Shining light along the way on cyber security practices to protect your organization, in an efficient and cost-effective manner. Where everyone takes responsibility to ensure your organization's data remains integral, available, and intact. 

Cybersecurity awareness isn't just a catchy campaign to join this October but should be a year-wide, long-term effort. To continue the tradition of educating about best practices, the AMATAS team will soon share with you some of the safest internet habits to install in your organization.

Ralitsa Kosturska in AMATAS