Over the course of four years, I breached one of the largest financial institutions in the United States and gained access to their most highly classified systems. It wasn’t even that hard.
I simply tailgated outside the building and talked with a friendly employee. I made that person believe I was an auditor, and each year he let me walk through the front doors.
After every penetration test, I drafted up my report of the errors he made. But the next year was just as easy as the last — signaling to me that the company wasn’t doing anything to retrain its employees. It’s not that person’s fault he let me walk inside four years in a row. It’s that he was never told about his mistake in the first place. There was no one correcting his error.
From my experience, it’s clear there is a lack of employee training when it comes to cybersecurity, and malicious actors know it. Uber was recently hacked, leaving many of its internal systems compromised. The person who claimed responsibility for the attack says he sent a text message to an Uber employee, claiming to work for the company’s IT department, and persuaded the worker to share a password that gave him access to Uber systems. This is a technique called social engineering, one that most hackers use frequently. Verizon’s 2022 Data Breach Investigations Report found that 82% of all breaches involved the human element.
It’s critical to change employee training about cybersecurity. Artificial intelligence (AI) platforms can help address the technical aspects of security concerns, as well as the human ones. This can be done through extensive employee training, specifically catered to determine what points need extra attention.
The average global cost of a data breach is $4.32 million, an all-time high according to IBM, so it’s imperative your employees are aware of the dangers hackers pose.
Let’s look at a few ways AI can improve employee understanding about safe online practices so your company can avoid someone like me walking right up to breach it.
Get people out of their own way
Phishing continues to be an easy way for hackers to infiltrate businesses and access sensitive information. According to an APWG report, more than 1 million phishing attacks occurred in just the second quarter of 2022. APWG says it’s the worst quarter of phishing it has ever observed. That same report says there has been a 47% increase in social media threats and a nearly 70% increase in mobile-based fraud between Q1 and Q2.
These attacks are becoming more sophisticated. Phishing emails are coming in the form of fraudulent invoices, a request to update a payment method, or with content customized to the user so they’re more likely to open the message. It’s simple and effective — people fall for it every day when it’s easily avoidable.
Make sure your employees don’t fall into this trap by modifying their behavior around cybersecurity. Better psychology around online security, such as understanding a hacker’s mentality in using you for easy access, is going to produce better employee practices. AI platforms can provide detailed analytics on employees’ tendencies and faults, so you have an idea of your susceptibility to a breach. Utilizing AI will help your company fix those gaps, driving down simple scams such as phishing. With time, those employees can get out their own way and keep sensitive company data secure.
Connect your C-suite to your security team and the rest of your employees
During my pentests, it was apparent there was a major disconnect between the C-suite, the security team, and the rest of the financial institution’s employees. The tactics I used to get inside are warned about in basic security videos. Yet, when I voiced this in my reports, nothing was ever changed. Three more times, someone literally held the door open for me.
Not enough companies see the importance of cyber safety. A 2022 Tech.co survey reports only 43% of large businesses consider security a top-three budget priority to invest in. According to PwC, only 19% of CIOs, CISOs, and CTOs are fully confident their company has taken steps to secure against common cloud breaches. There isn’t a widespread understanding of the dangers posed by malicious actors, or how to mitigate them and avoid breaches down the road, which Uber is currently facing. The root of the problem lies in the company-wide disconnect.
One way to connect your employees to the cybersecurity precautions they should take is through detailed training modules. No more simplistic, boring ones that put everyone to sleep. AI platforms offer specific videos on several different topics and customize them per your organization’s needs. Employees can also watch these videos on their own time, keeping them easily accessible whenever they’re needed. This keeps safety tips top of mind versus offering one simple, annual training class that can be quickly forgotten.
If your company is utilizing pentests, you need to make sure all employees see and understand the human vulnerabilities that comes from it afterwards. Everyone from the CEO to the receptionist should be aware of where your business is vulnerable so you can close the open doors. Gaps will continue if not everyone is made aware of the mistakes and potential dangers. AI can assist in making that data available, and even implement culture change through social engineering as a form of defense.
Address the missing gap of cybersecurity
Relying on technology to improve your company’s security is necessary but shouldn’t be limited to technical controls. To truly make a change, you also need to address human error by taking the time to train and retrain your employees in online safety.
Modifying their attitude about effective security practices through an AI platform is going to fix their tendencies over time and connect your company, top to bottom. You’ll tighten the security around sensitive data and better protect your company from a data breach.
https://www.cpomagazine.com/cyber-security/how-penetration-testing-showed-me-whats-missing-in-security/