The retail industry isn’t the only one that needs to worry about cyber attacks. In fact, all organizations are warned against increased threats due to careless employee behaviors during the holiday season.
In a recent survey, half of the participants admitted to using a work-issued computer or mobile device for online shopping. A breach could result from an employee innocently clicking on a link in a phishing email promising a holiday discount.
Credential stuffing attack
During a credential stuffing attack, attackers use bots to attempt to log into target sites or corporate networks using stolen credentials. This research, commissioned by Akamai and carried out by Ponemon Institute, found that companies experience an average of 11 credential stuffing attempts each month, with each attack targeting 1041 user accounts.
Researchers at Radware found that bad bots carrying out account takeover attempts reached their peak right before Black Friday in preparation for holiday attacks. This imminent threat has spilled over to the National Cyber Security Centre’s (NCSC) Password policy: updating your approach, which now recommends checking user passwords against a compromised password list.
You can check user passwords against NCSC’s top 100,000 most hacked passwords or create your own password blacklist using online sources. If you’re looking for a more comprehensive list without having to compile your own, use a third party password filtering service that includes billions of compromised passwords and is continuously updated with the latest leaked passwords.
If you currently don’t have a mechanism in place to check against compromised passwords but curious to know how big your problem is, use this free password audit tool to scan your Active Directory and finds out which accounts are using compromised passwords.
Social engineering attack
The social engineering attack is a targeted method that preys on human behavior. Criminals try tricking employees into granting access by pretending to be someone they trust. A common scam during the holidays involves criminals impersonating CEOs and sending emails to employees pretending to be out of town, requesting them to make wire transfers.
Social engineering is also extremely common during the password reset process - a classic technique is calling the service desk for password resets by pretending to be someone else in order to gain access to organization’s sensitive data.
Eliminating the opportunity for user impersonation, and the single point of failure, can be done with multi-factor authentication (MFA). MFA requires the user to verify their identity with multiple forms of authentication including authenticator apps (for example: Google Authenticator), personal identity providers (for example: LinkedIn), as well as higher trust methods (for example: Fingerprint Authentication). This layered approach fortifies your organization against various types of attacks during user login as well as password reset.
Phishing attack
According to the 2019 Cyber Security Breaches Survey published by the UK government, phishing attacks account for 80 percent of all cyber attacks. Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source.
The goal is to gain sensitive, confidential information such as usernames, passwords, credit card information, and network credentials. This type of attack is often used to gain a foothold in corporate networks as a part of a larger attack.
The holiday season is the prime time for phishing when your employees are on the lookout for holiday deals. Train your employees to spot phishing scams and avoid clicking on malicious links. Stress the importance of checking any hyperlinks for bogus links before they click and never giving up personal information from an unsolicited email. Run phishing simulations to test how susceptible your employees are to scams and provide more training if necessary.
Strengthen the weakest link in your security
Employees may not have malicious intent, but their careless behavior can add up to large financial and reputational damage. It is no surprise that many UK employees lack security awareness - 65% of UK professionals did not receive mandatory IT training in their first month of employment in their current or most recent role. Of these individuals, 74% had never received any IT training at all, according to this survey by Evaris.
Protect your organization against the above attacks by providing your employees with security awareness training. Help them identify potential cyber threats as well as the steps to take when something seems suspicious. The program should be completed by all new employees, and followed up with updated training on an annual basis.
Don’t let hackers ruin your holiday spirit
Regardless of your organization’s size or industry, the holiday season provides an ideal opportunity for hackers to scam their way into your organization’s networks. In the midst of the holiday celebration, it's important to stay vigilant to fraudulent activities that your employees may be susceptible to and double down on the defenses recommended above.