Understand Security Risk
Learning Objectives
After completing this unit, you’ll be able to:
- Explain the ways cybercrime could hurt your company.
- List the top human behaviors that intruders exploit.
- Describe the most common methods criminals use to get access to information.
Secure Employee Behavior Is Equally as Important as Secure Technology
Considering that we use technology all day long in our personal lives and at work, it makes sense that cybercrime is on everyone’s mind. The 2021 Verizon Data Breach Investigation Report reported a record total of 157,525 incidents in categories that ranged from malware to hacking, social engineering breaches to ransomware. And cybercrime continues to evolve. Some of the most successful attack vectors in recent times — like phishing — target people, not technology. According to the 2022 report, phishing and stolen user credentials were the top threat vectors in 2021.
The threat landscape is more complex than ever, and it’s increasingly difficult for security teams to prevent, detect, analyze, and respond to threats. Cybercriminals have shifted their tactics from technological attacks to targeted assaults on employees by exploiting basic human behaviors. As security technology has grown more advanced, hackers look to access the weakest point in the network — most often that turns out to be human error. Security training opportunities, like this badge, are more important than ever. Since employees present the easiest target for hackers, it's crucial that everyone learns how to protect themselves, and your company. More than ever before, every person has an impact on security regardless of their function or title.
It takes only one employee opening a phishing email to set off a chain of events that may compromise your company’s data. This means that security should be an integrated part of everyone’s job. In this module, we look at some basic behaviors that every employee can adopt to help make the company more secure.
Intruders Exploit Human Behaviors
Let’s talk about how human nature plays into cybercrime. Criminals have learned they can exploit typical human feelings, such as curiosity and the desire to please, to steal credentials and infiltrate your network. Let’s dig into some of the messaging that elicits these emotions.
-
Fear: “If you don’t give me the information, I will report you to your manager.”
-
Trust: “Your bank account has just been closed. Click here to reactivate.”
-
Morality: “Can you hold that office door open for me? My arm’s broken, and this package is heavy.”
-
Reward: “My company is considering investing in your products. Can you answer a few questions about your organization first?”
-
Conformity: “Bill Stevens from Finance always gives me updates about Q2 earnings, but I can’t get a hold of him. Can you help me with the report?”
-
Curiosity: “Wow… Check out this video of a giant snake eating a zookeeper!”
Spot Basic Attack Methods
Hackers gain access to their targets in a variety of ways. The below list of entry point methods are common techniques that cybercriminals use to prey on our human behaviors and gain access to sensitive information or networks.
-
Phishing: Attempting to acquire sensitive information, such as usernames and passwords (otherwise known as user credentials), credit card details, and banking information by masquerading as a trustworthy entity. There are several types of phishing. Some of the most commonly used methods are email phishing, phishing via phone (called vishing), phishing via text message or SMS (smishing), and targeted phishing directed at a person with a high level of access (spear phishing).
-
Malware: Tricking users into downloading malicious software (malware) intended to access, damage, or control a device or network — and often delivered via a link or attachment in a phishing email.
-
Social Engineering: Manipulating people into taking action or revealing confidential information.
-
Exploiting Public Information: Using information that is publicly available on the internet (for example, a social media platform) to help design a social engineering attack, crack a password, or create a targeted phishing email.
-
Tailgating: Gaining access to a secured area, either by following a legitimate badge holder in or by persuading someone to let them in.
-
Eavesdropping: Secretly listening in on private conversations.
-
Dumpster Diving: Collecting sensitive information from the recycling or trash that was not appropriately destroyed.
-
Installing Rogue Devices: Gaining access to a secure network by installing a wireless router or USB thumb drive containing malicious software.
Resources