Your Employees Are an Overlooked Corner in Your Attack Surface

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Rahul Kannan of Securin shines a light in the dark corner of your attack surface to reveal an overlooked X factor: the employees.

Protecting your company in a threat landscape defined by constant cyber-attacks and crippling ransomware has become a juggling match. It can seem impossible to keep up with the latest technologies, attack methods, or vulnerabilities. The risks are severe, with the average cyber-attack costing $4.45 million, and they are only expected to climb higher as global cyber-crime is predicted to increase 15 percent yearly over the next five years. If the trend continues, cyber-crime could end up costing $10.5 trillion annually by 2025.

The numbers don’t lie— securing your organization and what matters most requires a comprehensive and robust cybersecurity strategy, and at the heart of this strategy are humans. However, humans can be both an asset and a potential liability in cybersecurity, as attackers use social engineering tactics to deceive employees into providing unauthorized access to company systems. The potential fallout, as seen in the MGM Hotels hacking incident, underscores the critical need for comprehensive training programs aimed at enhancing awareness and resilience against these methods.

Humans remain an integral part of a successful cybersecurity strategy. Their ability to utilize intuition, critical thinking, and creativity is essential in interpreting and validating complex threats that automated systems might miss. Human expertise is vital in crafting effective cybersecurity policies, adapting strategies to evolving threats, and responding swiftly to incidents.

Your Employees Are an Overlooked Corner in Your Attack Surface

Protecting Your Systems– With the Human Touch

Prioritizing the safety and security of your computer systems should be at the forefront of every business leader’s mind. In the age of AI and automation, new technologies offer off-the-shelf monitoring and vulnerability detection. This is helpful as organizations grow and scale; however, while this technology is robust, it is not flawless and requires a person in the driver’s seat for validation and a holistic strategy against cyber threats.

Human oversight over these automated applications can help narrow the scanning scope and focus resources on where vulnerabilities may be hidden. Over 200,000 documented CVEs are in the wild, and over 1,000 require immediate patching, as recommended by the U.S. Cybersecurity and Infrastructure Agency (CISA). Only a trained security employee can accurately deploy automated solutions to resolve vulnerabilities. Additionally, this human-centric approach enables cybersecurity teams to proactively assess their attack surface and manage vulnerabilities when immediate action is necessary.

Employees are a vital component of an organization’s cyber offense, but they can also be the weakness in its defenses.

Employees Are an Asset and Vulnerability within Your Attack Surface

Attack Surface Management (ASM) involves approaching security from the attacker’s perspective to secure an organization’s sprawling assets and resources. With hundreds of unfilled vacancies in cybersecurity positions nationwide, cybersecurity and attack surface management must become a company-wide responsibility.

Verizon’s DBIR Report 2023 found that 74 percent of all breaches include the human element, with people involved either via error, privilege misuse, use of stolen credentials, or social engineering. Another report revealed that 91 percent of all cyber-attacks are initiated from phishing emails, and 32 percent of all successful breaches occur because of phishing techniques.

How Companies Can Prepare Employees for Threats and Minimize Risks

Although employees are common entry points into an organization’s systems and security, they are not a complete liability. Per the FBI and CISA recommendations, organizations should enforce strict rules on the types of applications and software employees are permitted to download, and the kind of remote desktop services among their staff should be regulated. They must ensure all individuals across the organization are aware of established security measures, have proper security training, and aren’t clicking malicious emails.

Cybersecurity leaders must implement and remind their employees of basic security measures like:

• Passwords Requiring Protection, Complexity, and Routine Updates
• Installing Security Software on Mobile Devices
• Multi-Factor Authentication (MFA)
• Updating Access Controls
• Cautious Searching on Websites
• Only Downloading Materials from Reputable Sources

At the End of the Day…

Employees are a necessity for validating AI and automated cybersecurity practices, but they must also be viewed as an integral piece that makes up an organization’s attack surface. Their intuition, creativity, and intelligence can identify and validate threats that technologies might miss. While essential, they also use and have access to systems that contain system credentials, proprietary information, and highly sensitive data. Therefore, employees must be trained and updated on cyber-best practices to protect this invaluable data and their companies.