Stopping cyber attackers from targeting the weakest links in security

A CGI render of a chain, formed from blue lines, moving from the top right half of the frame to the bottom left against a dark background. As it extends to the left, it breaks apart into individual blue strands to represent a supply chain.
(Image credit: Getty Images)

Businesses are witnessing a rise in cyberattacks around the world, as geopolitical tensions and more sophisticated threat actors come to the fore. While it’s appropriate to respond to high-level threats in kind, security teams must also remember that a chain is only as strong as its weakest link – a phrase that has become a cliche for a reason.

More people are also working remotely since the pandemic, adding further strain to organizations’ cyber security resources.

Ransomware attacks have increased dramatically in the last year,” says Dr Becky Alexis-Martin, a lecturer in peace, science, and technology at the University of Bradford.

“They used to be very profit driven, whereas now it's about the data itself and the politics, rather than just for profit.”

Since a number of high-profile cyber attacks, it has become common for staff briefings to include a cyber security section. Multi-factor authentication (MFA) has proved particularly effective in mitigating cyber attacks by adding an additional level of verification.

However, cyber warfare is a continually escalating case of one-upmanship, whereby security providers develop a new security solution, attackers find a workaround, which is then patched by the developers, and so on. A one-off investment in security is no longer a guarantee of defense.

“Cyber attacks have grown exponentially just in the last year and they have become more commonplace as the world has become politically volatile,” says Alexis-Martin. “I would argue that we’re now in a hot digital war and it’s become an arms race for developing new technologies.”Malicious actors are also using new tools in their attacks. The early stages of a cyber attack are often automated, as hackers use tools including AI and machine learning (ML) to find known network vulnerabilities that have not been patched. Once these AI tools have identified the potential weak points, hackers know where to focus attacks.

Patching security vulnerabilities is a regular activity for IT teams and often a priority. However, these patches may be delayed due to beta-testing to ensure compatibility with the wider network and to avoid unnecessary and costly downtime during business-critical periods.

Problem exists between chair and keyboard

Employees generally remain the weakest point in an organization’s security posture. People are fallible and susceptible to social engineering, such as TOAD and deepfake attacks.

Whilst a computer can be eternally vigilant, the average person cannot maintain a continued level of heightened paranoia; at least not without having a breakdown.

Regular cyber security training is now a must, but presenting that information in an engaging way with as little cyber jargon as possible can be challenging. Testing the cyber security awareness of an organization, such as by sending spoof phishing emails, can identify those people requiring additional cyber security training.

“Training programs are quite good, as they can sit in the background, sending out random spoof emails to whoever clicks on them,” says Colin Tankard, managing director at Digital Pathways. “You do find that there are perpetual clickers and it does help to identify those vulnerable people in an organization.”

How compromised employees are treated also needs to be considered. Any worker who suspects they have may been compromised needs to be encouraged to approach IT teams to report the incident. A fear of reprimands, particularly at the hand of senior colleagues, may force employees to shy away from reporting events at all.

With the proliferation of remote working, malicious actors are also now targeting people at home.

In the UK, for example, there has been a spate of phone calls claiming to be from a local health authority, asking to speak to the vulnerable person in the household. This type of attack highlights a chilling shift in cybe rattacks, whereby scammers and hackers are identifying vulnerable people as potential weak points.

The people being targeted may be vulnerable for various reasons. Children and the elderly are seen as easy targets to manipulate and attackers are making the same calculations when it comes to picking the most vulnerable people on the payroll.

Vulnerable people may also live with others who have critical access corporate networks from home, compounding potential compromise scenarios.

Whilst trained people tend to be suspicious of a caller’s or sender’s identity and any requests to click on links, connect devices or install apps, vulnerable people may not have an understanding of what they are being asked to do, or the consequences. Should a malicious actor gain access to a vulnerable person’s device or shared home computer, they are inside the home network and could connect to other devices, deploy packet sniffers to intercept messages or potentially piggyback into the corporate network.

Security needs to look inward as well as outward

Cyber security tends to be outward looking, so once a threat actor is within a network they are able to move laterally without interrogation. There needs to be a zero-trust approach to verification. Just because an employee has already been verified from a certain device does not mean that the same person is logging in again.

Network monitoring for suspicious traffic or anomalous behavior, such as using intrusion detection systems (IDS), can mitigate this threat, but it is a tool that needs to be carefully trained to correctly identify legitimate users and malicious actors.

A few years ago, there was widespread acceptance of employees using their own devices for work purposes, but there is now a pushback against this due to the threats within less-secure home networks. More often than not, especially within organizations that process sensitive data, the use of corporate devices will now be mandatory. These require robust credential verification and are not to be used by other people.

“Any company with a ‘Bring your own device’ policy, means those devices fall under cyber essentials. That means they must be updated and patched correctly. But what happens when someone has an old device that cannot accept the latest updates?” asks Tankard.

Protecting the most vulnerable

As the weak point in any organization is commonly its people, hackers tend to focus on the most vulnerable to exploit them. They are not necessarily the target of their attack, but a stepping-stone towards a greater goal.

RELATED WHITEPAPER

Companies can protect themselves and build morale by offering cyber security deals with third-party providers for the family of their employees. A step further could be to even offer online cyber security courses within the wider community, which would raise awareness of good cyber security behavior whilst building their reputation within the local area.

Just as we can protect children online with and child-friendly settings and parental tools, so too should steps be taken to protect our most vulnerable. This needs to be done without taking away independence, but rather giving confidence to be online, with the appropriate safeguards in place.

Unfortunately, this new trend of cyber attacks targeting the most vulnerable is here to stay. The increased protections offered by modern cyber security means that malicious actors, in order to breach network defenses, will focus on the weak points, which are often linked to human actions.