“Eighty-five percent of breaches involved the human element. Phishing was present in 36% of breaches in our dataset, up from 25% last year. Business Email Compromises (BECs) were the second-most common form of Social Engineering. This reflects the rise of Misrepresentation, which was 15 times higher than last year.”
Social engineering has grown more sophisticated as hackers mine social media and pose as legitimate companies to try to sneak through defenses according to the report.
“The reason many companies are vulnerable to ransomware is that their social engineering defenses are weak. Social engineering is prevalent because people are poorly trained in the risks, or perhaps just not paying attention,” Machuca asserts, adding that the hackers are very sophisticated.
“While a lot of spam is hilariously bad, some of it is pretty good,” he contends.
Some spam features surprisingly accurate imitations of well-known brands, courier services, and colleges, which lulls people into a sense of comfort due to the known company or service. Hackers try to capitalize on that comfort to perpetrate their crimes. They’re getting better and better at grammar and formatting which makes us more vulnerable.
Proper backup and recovery can prevent data loss
The improving effectiveness of the ransomware-laced spam will ensure that the threat continues. Only when the human firewall changes will the danger of ransomware subside. Machuca notes that many companies don’t have thorough backup systems in place until that day arrives.
“They think they do, but as is obvious, they don’t. There is no fundamental difference between ransomware locking a drive and a crashed drive. In both cases, the data on the device is unavailable, and the mitigation to a crashed drive is good backups. If a hacker encrypts a drive, the solution is still the same,” Machuca explains.
He adds that while good back-ups are essential, most are too complicated or time-consuming for people to do regularly.
“To this, I am sympathetic. Backing up multiple terabytes or a petabyte file takes some time, and if you back up the file online, it could take hours to days,” Machuca says.
“So, people don’t back up their files daily, and that’s the vulnerability,” he continues. Therefore, monitoring networks and keeping a client’s cyber-vulnerabilities in check are needed on top of back-ups.
End-user training goes a long way in securing remote work
Another trend that will continue in 2022 is remote work, something Machuca advises can bring efficiencies to an organization if the risk can be mitigated.
“I think that in the future, we will see a blend of remote and in-office work, where remote will be preferred, and face-to-face will be the exception,” Machuca predicts.
Remote work is a weak link in the IT ecosystem, and that is a vulnerability that hackers will continue to exploit and small business need to continue to shore up. The best way to shore it up is through employee training. People doing remote work often do it on their own systems, which can be easier to penetrate.
“On an office computer, someone may be more vigilant, and the business probably has firewall policies in place,” Machuca suggests, adding that on personal machines, people are likely to be less careful, which creates complications.
“You can’t control where they go, what they download, or what they potentially can contract,” Machuca states, adding that if a remote worker is hacked, that hack can spread into the corporate network.
Good firewalls, good processes, and layers of cybersecurity are the first step. We all want to see a technical solution to this problem.
But until such solutions exist, Machuca maintains the most effective use of dollars small businesses can be expending is on employee training.
“Humans are the weakest link, and hackers know this. And that is why social engineering and ransomware are so effective,” Machuca says. But the human element will remain the “wild card” in combatting hackers.
Small Business Action list:
Priority 1: The human firewall – people – is our biggest vulnerability. Human error is a huge risk. Therefore, it is critical to make cybersecurity phish testing and education your top priority.
Priority 2: 2-Factor also known as multi-factor authentication, not only for your email - but also for cloud or external facing critical systems.
Priority 3: Identity and privileged access management – zero tolerance and least privilege are process and policy level protections especially for administrators.
Priority 4: Moving beyond anti-virus to EDR - Endpoint Protection & Response is a priority that every organization will align to in the next couple years.