The Human Element of Hacks

WERC Staff - Apr 29 2024

Published in: Technology

| Updated Apr 29 2024

Ransomware and other forms of cyberattacks are hitting organizations big and small. No one is immune. Though there is no foolproof security, there are ways to minimize the risks of being targeted.

The adage about a chain being only as strong as its weakest link is especially relevant in today’s state of corporate cybersecurity. According to the Verizon 2023 Data Breach Investigations Report, “74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials, or social engineering.”

A study by Kaspersky released late last year revealed that, in addition to genuine errors, information security policy violations by employees were one of the biggest problems for companies. Respondents from organizations across 19 countries claimed that intentional actions to break cybersecurity rules were made by both non-IT and IT employees. They said policy violations such as these by IT security officers caused 12% of cyber incidents in the two years prior to the study’s release. Other IT professionals and their non-IT staff brought about 11% and 8% of cyber incidents, respectively, when they breached security protocols.

In terms of individual employee behavior, the most common problem is that employees deliberately do what is forbidden and fail to perform what’s required. Respondents of the Kaspersky study claimed that 25% of cyber incidents in the last two years occurred due to the use of weak passwords or failure to change them in a timely manner. About 24% of cybersecurity breaches were the result of staff visiting unsecured websites, while 21% reported they faced cyber incidents because employees did not update the system software or applications when it was required.

Teach an Employee About Phishing …

An analysis published last June by the Cybersecurity and Infrastructure Security Agency (CISA)—which analyzed data collected from assessments at federal executive branch agencies and some private sector companies in fiscal 2022—shows that more than 50% of successful intrusions at those organizations began with the use of a valid account for initial access. CISA’s data also shows that 33% of spear phishing attempts were successful.

IBM Security X-Force’s annual threat intelligence report, released in February, confirms the threat posed by phishing. It remained the top initial access vector for security incidents last year, with more than 40% of all incidents involving phishing as the pathway to compromise. About 60% of all phishing attacks were conducted through attachments in 2023, while phishing via links accounted for one-third of all attacks. About 25% of attacks involved the exploitation of public-facing applications and 16% abused valid accounts for access. Just one in 10 involved external remote services.

The C-Suite Is Taking Notice

The results of a Commvault-commissioned Futurum Group survey of more than 200 C-suite and senior-level IT executives across the globe indicated organizations are also starting to realize the importance of increased collaboration to fight cybercrime. Nearly all respondents said they had observed heightened dialogue between corporate IT and security departments over the past year. Among those reporting a “connected” relationship, 64% stated the adoption of shared goals for maintaining company security, while 70% affirmed the establishment of joint processes and procedures for daily operations.

Javier Dominguez, chief information security officer at Commvault, said a top-down approach to cybersecurity will help influence collaboration between IT and security teams. He noted the role of IT is to maintain system and data availability, while security focuses on protecting the systems and data from bad actors. “These overlapping responsibilities have often led to challenges when establishing ownership over joint protocols,” he says. “IT needs to provide security teams with increased insight into their environments to help them understand the organization’s risk posture.” Similarly, security teams can provide IT teams with best practices and guidance on how to improve cyber resilience.

What Mobility Is Doing About Threats

TRC Global Mobility Inc. launched its Knowbe4 cybersecurity training campaigns in 2016 and additional training via their human resources information system (HRIS) shortly afterward. “As an organization that must collect and secure personal information to fulfill our contractual obligations to clients, we have trained our employees to secure this data and avoid unnecessary risks since our founding,” says Craig Vuoso, senior vice president of technology. “The shape and scope of our training have evolved as new technologies and threats have emerged.”

TRC’s Knowbe4 training campaigns are conducted quarterly through ad hoc emails sent to users, testing their ability to identify fraudulent emails at a moment’s notice. The company’s HRIS cybersecurity training is conducted annually, consisting of online training modules and knowledge tests housed on its HRIS website. This training is mandatory for all employees.

Altair Global, meanwhile, established a comprehensive quarterly training program with engaging video modules and quizzes to ensure understanding and retention of proper cyber hygiene. Additionally, Altair conducts an in-depth training session each year, reinforcing its commitment to foster a culture of continuous learning.

Altair also conducts monthly tests that immerse team members in realistic scenarios through randomly selected and timed simulated phishing email exercises. These are designed to test and teach without direct feedback, encouraging a mindset of constant alertness and personal responsibility. “This balanced mix of formal education and practical, hands-on testing exemplifies our holistic approach to protecting data and every individual's right to privacy within our organization,” says Anuar Solis, data protection officer at Altair.

Both companies are cognizant of the human factor of cyber risks. “In our journey toward enhancing cybersecurity resilience at Altair Global, we recognize the undeniable reality of human vulnerability as a critical factor,” Solis says. “However, through our focused training and testing efforts, we've equipped our team members with the necessary knowledge and tools to spot real-world cybersecurity threats. The tangible result of these initiatives is a significant decrease in our team members falling victim to simulated phishing attempts.”

Reinforcing the human element of the hack, TRC’s Vuoso says, “End users are among the most significant vulnerabilities in any business regarding cyber threats. This training is valuable and necessary to protect our client and customer data from malware and ransomware. It teaches the end users to recognize scams and phishing/spam attacks. And it makes them feel comfortable checking with their IT department about anything questionable before clicking, opening, or responding to any unknown or questionable emails, phone calls, texts, or application installs.”

Real estate company Compass uses Wizer for online safety training for all employees. Two training sessions were provided, one for remote work and one for account takeover scams. Both covered how hackers now work in conjunction with AI to reach their goals. Referring to the training, Kim Gisin, relocation manager, says, “I found it kept me engaged and very interested. I definitely paid attention. Knowing there are new ways hackers are infiltrating the world now and via technology is eye-opening.”

No Organization Is Immune from Cyber Threats

Ransomware and other forms of cyberattacks are hitting organizations big and small. No one is immune. Though there is no foolproof security, there are ways to minimize the risks of being targeted. Altair’s Solis puts it well when he says, “Our stark reality is unambiguous: a false sense of security is our greatest vulnerability. Believing oneself beyond the reach of cybercriminals or more intelligent than them is a fallacy. As stewards of sensitive information, our obligation extends beyond mere compliance; it is a responsibility to continuously educate, adapt, and fortify our defenses against the unavoidable threats that define our digital age.”

Celebrating 60 Years of Talent Mobility

WERC’s 60th-anniversary commemoration and celebration is ongoing throughout 2024.

Learn More

Forging The Future On Sustainability

Worldwide ERC^® has launched a major initiative to support the industry with our transition to a more Sustainable future, with research, content, resources and learning.

Learn More

Get in Touch with Mobility Experts on the Front Lines

Finding the mobility professionals you need all over the world just got easier with our new, user-friendly Directory

Learn More

In the Current Issue of Mobility Magazine

Crisis Management: Best Practices for When the Unexpected Becomes Reality
Fee Hikes Give U.S. Employers a Chance to Rethink Immigration Strategies
International Remote Work: Top Challenges for Global Mobility Teams in 2024
Managing Expats as an Expat

Mobility is WERC’s magazine, delivering industry and business news and updates, as well as insights on global talent mobility programs, tips, and trends.

Subscribe Preview