Think like your enemies to stay safe with AI 
Know AI’s strengths and weaknesses to shield your organization from increasingly sophisticated cyberattacks. ...
Technology
Cybersecurity
Cyber resiliency: building a secure future
To safeguard your organization from persistent cyber threats, look beyond technology and focus on educating your people, says prominent cybersecurity expert and ethical hacker Jamie Woodruff. ...
When organizations look to tackle cyber threats, they put a big focus on technology and forget about people. What I want organizations to realize is that, while we need technology, your people are your first and last line of defense.
I have uncovered numerous physical security weaknesses – in both the public and private sectors – by focusing on the realm of social engineering and the human aspect of cybersecurity, infiltrating targeted organizations to unearth existing exploits.
Through my extensive experience, I know that your people are under attack by organized criminals like never before. These criminals use social engineering to understand who your employees are. They spend months understanding their habits and their strengths and weaknesses, and they use this information to gain access to your organization’s most important asset – your data – with devastating consequences.
A very real threat
According to Verizon’s 2022 data breach report, ransomware attacks have increased by 13% in the past five years. The first half of 2022 saw nearly 236.7 million ransomware attacks worldwide, the average cost of which was $1.85m. Despite their best preventative efforts, ransomware breaches took 49 days longer than average to identify and contain. And they are costly. The 2024 State of Ransomware report found some 46% of ransomware victims estimated business losses to be $1-10 million as a result of an attack, with 16% reporting losses of over $10 million.Â
To give you an example: the National Health Service (NHS) in the UK suffered a $100m loss due to the WannaCry ransomware attack in 2017 – a massive global cyber strike that affected around 230,000 different machines in 150 countries. More than 19,000 NHS appointments were canceled as a result.
Ransomware is also affecting critical national infrastructure. A recent ransomware attack saw Russian-linked cybercriminals target the British financial system. The incident affected 42 of ION Trading UK’s customers with many European and American banks and brokers compelled to handle trading deals manually. According to the affected brokers, the disruption affected crucial operations such as margin calls and regulatory reporting on major market positions.
It always falls back to human error, no matter what
People tend to picture a hacker as Warlock from Die Hard, trying to take over the world from a basement. That’s the stereotype. The reality is that it is most likely a disgruntled former employee or a third-party organization tasked with processing your data that is compromising your organization’s security, and not a lone wolf.
In the past, hackers would get into, then out of, an organization quickly – that is no longer the case. Some hackers spend years inside an organization, leaving the back door open and inviting criminals to bid for access to your information.
What should you look out for?
What we are facing today is serious organized criminals reaching out to your employees asking them to deploy ransomware on their behalf.
In the late 90s, it was all about viruses, malicious code, trojans, and advanced worms. Cyberattacks didn’t tend to use ransomware, even though it has been around for a long time. From 2004 to 2007 we saw identity theft, and from 2007 to 2010 we saw the rise of botnets. Since 2010, it has been about all social engineering. According to Verizon’s 2024 data breach report, 68% of breaches involve a non-malicious human element, like a person falling victim to a social engineering attack. You can have all the technology in the world to ward off attacks but if I watch you for six months and I know your habits and where you hang out, there is a lot of interesting information that can be utilized to lure employees in –this is how organizations are being compromised.
“It always falls back to human error, no matter what.”
Malicious individuals normally message employees on WhatsApp, Signal, or Telegram to gather information. They promise a payout once the individual has deployed the ransomware within his or her organization and the organization pays the requested ransom.
And the tactics are becoming more and more sophisticated. One startling example is a case of juice jacking – a type of cyber-attack involving a charging port that doubles as a data connection typically over USB. One organization asked me to investigate an employee whose technology kept repeatedly getting infected with Ransomware. After spending a few days with him, it turned out that his e-cigarette charging cable was being used as a data controller to send and transmit information. During the investigation, we discovered that malicious actors had set up a store on wish.com and targeted employees of the company with paid marketing over social media to encourage them to buy that charging cable.Â
10 tactics to beware of
It pays to be hyperaware. Employees should be educated about the many ways that they can fall victim to organized criminals on a daily basis. These are some of the most common attack vectors that criminals use that could potentially lead to data getting compromised. Here are 10 to watch out for:Â
1. Phone spoofing
Beware of people impersonating an individual to get sensitive information. Fake audio and video are increasingly easy to make – and incredibly accurate.
2. Diversion tactics
It takes just 11 seconds to gain valuable information from your laptop, so be aware of people trying to divert your attention from your computer, even for a short while.
3. Phishing attacks
Domain names similar to the organization’s are purchased to launch attacks, so it’s important to educate your employees on what to look out for.
4. Baiting
Criminals drop branded USB pens to be picked up by targeted employees in the hope that they will be plugged into company devices. Emphasize just how important it is not to plug in unknown devices and to be aware of everything they plug into company assets.
5. Eavesdroppers
Criminals listen to conversations to extract information that could be useful during the attacks or at a later stage. Be aware of not sharing sensitive information, even around seemingly unrelated people such as waiters or delivery men.
6. Badge surfing and tailgating
Criminals print identification cards to impersonate an employee within the organizational structure. Pay close attention to this and to your security access points, which can be easily compromised by tailgaters.
7. QR code attacks
Be careful of the QR codes you scan. Malicious links with QR-generated images could download droppers or trojans onto a user’s device
8. MITM attacks
A man-in-the-middle (MITM) attack refers to when a perpetrator positions himself in a conversation between a user and an application – either to eavesdrop or impersonate. A common way to do this is via free WiFi networks at hotels, airports, and cafes. Make sure your employees always connect over a VPN when traveling.
9. Quid pro quo
A social engineer will offer a service such as tech support to trick the user into handing over sensitive information, such as login credentials. Encourage your employees to question unsolicited and unexpected offers of support and to verify the identity of the user before handing over information via the telephone or email.
10. ScareWare
This happens when a malicious actor bombards the victim with fake malware attacks, such as pop-ups that appear on a user’s screen or spam email attacks and “scaring” them into paying for software that purports to fix the problem but contains malware designed to steal data. Constant education of these various attack tactics is essential to ensure staff don't fall foul of these attempts.
This article is inspired by a keynote session at IMD’s Orchestrating Winning Performance in Lausanne, which brings together executives from diverse sectors and geographies for a week of intense learning and sharing with IMD faculty and business experts.
Authors
Related
The critical cybersecurity lesson from the Microsoft outage
The IT debacle is a big reminder that cybersecurity is not just about defending against malicious attacks but also about ensuring system availability.  ...
Last bite of the cookie?Â
Google’s latest reprieve for third-party cookies will be only temporary, warns IMD’s Öykü Işık ...
From follower to leader: Taiwan’s financial sector accelerates digital transformation Â
Taiwan is undergoing a financial revolution, surging ahead in digital transformation, propelled by a convergence of global trends and local innovations. ...
Learn Brain Circuits
Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
Â
Explore Leadership
What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
Â
Join Membership
Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
Â