As the business world navigates the ups and downs of today’s economy, a mindset shift is required to maintain cyber resilience. Cybersecurity, often an afterthought in a strong economy, must not be neglected in responding to shifts in the business landscape.
As more companies expand their remote workforce, the number of endpoints with access to corporate resources is proliferating. Hackers are seizing the opportunities this presents: Phishing email click rates have risen from around 5 percent to over 40 percent in recent months, according to Forbes.
With a strong cybersecurity mindset and some strategic planning, your company can position itself to survive these new working conditions and build up even more cyber resilience as you adapt. Because cybersecurity professionals are facing formidable adversaries, understanding how hackers think can go a long way in mitigating the threat they pose.
An Unfair Advantage
Security expert Frank Abagnale is one of the foremost experts on the thought processes of threat actors, and he was kind enough to lend his expertise to this piece.
Since the number of successful phishing attacks has skyrocketed, I asked him if this is more a function of hackers stepping up their game, or employees not possessing the right cybersecurity mindset to pay attention.
“It’s both,” he explained. “Any crisis is a perfect backdrop to phishing attacks. At the same time, employees are in a new environment, working from home with more distractions than ever. Add to this stress, cabin fever and anxiety, and you have the perfect phishing storm.”
What makes bad actors so successful, according to experts, is that they take advantage of the human condition. And the human condition is less guarded by security layers today than it has been in quite some time.
“Any fear and anxiety gets people to do things they normally would not do,” said Abagnale.
Take It From the Top
So what can an enterprise do to swim against this foreboding tide? Abagnale insists that vigilance is the key.
“It’s the way to go in normal times and especially now,” he said. “If a link or email sounds too good to be true, it probably is. Don’t rush to fill forms and provide your information to anyone who claims to be the IRS” — or someone who can accelerate your tax return.
But employees can’t be expected to bear the full responsibility of security, or even to recognize established best practices in every scenario. If something is too confusing or complicated and employees don’t know much about it, failure can seem inevitable. Good cybersecurity must be taught in ways that are easy to understand and that include actionable takeaways.
“We must use this time to educate and keep employees alert,” Abagnale asserted. And today, the cybersecurity responsibility elevator operates with only one button and one destination: the C-suite. It therefore falls to chief information security officers (CISOs) and security practitioners to connect the dots and ensure their colleagues understand what they can do to help.
Modern Problems, Modern Solutions
As we continue working, could the altered landscape change Abagnale’s mindset around cybersecurity? Would most of his convictions hold?
“I have been talking and warning executives and companies for over four decades about what criminals do to exploit unsuspecting humans,” he explained. “I now live to see the full effect of it, in a time that is ripe for fraud and deceit. My convictions are more reinforced today than ever. I am more energized to help educate the public about cybercrime and how we move forward to a better and more secure internet.”
Abagnale firmly believes that we must elevate our systems to prepare for the future, and the first piece of advice he would give to any company and security practitioner is to stop using passwords.
“Once you take the secret away from the human user, they cannot give it to the crooks,” he said. “They will not fall prey to keyloggers. It’s time we move forward from a 1960s technology to the 21st century.” Now may just be the time to put into action what Abagnale has been suggesting for years, and the path to a passwordless world may be simpler than you think.
Of course, moving away from passwords is just one aspect of the mindset shift security experts must embrace to bolster their cyber resilience. Don’t just keep cybersecurity and cyber hygiene front of mind; take the opportunity to reevaluate the true efficacy of our fundamental assumptions about security. Drastic changes in the threat landscape will continue to develop as working norms are overhauled, and security measures devised for outdated threats likely won’t serve us in the future — or even the present.