Blog | Cybersecurity

Your Cybersecurity Isn’t Enough Without End User Security. Here’s How to Encourage It.

Sep 18, 2024

What if we were to say all your cybersecurity systems, firewalls, and automated detection tools are not enough to protect your digital assets on their own? It’s true. You wouldn’t read about massive breaches at AT&T, Ticketmaster, Dell, and other prosperous enterprises if the right security stack was enough to fend off hackers.

The truth is that bad actors don’t need to bring down the walls of Jericho to get what they want; they just need to find someone who’s willing to let them inside.

More companies are waking up to this reality. When asked in a Dark Reading’s Strategic Security Survey about what the primary cause of their organization’s next major data breach will be, 38% of respondents said the root cause will be end users ignoring security policy.

Part of the problem is that companies then start to think of end users as a weak link rather than comrades in cybersecurity. In fact, if both organizations and individuals are going to keep sensitive information and proprietary data protected, they need to recognize they’re together on the front line.

Here’s some food for thought about how everyone can increase their end user security savviness.

How Cyber Criminals Are Trying to Exhaust Users

By this point, hackers know that a well-funded organization with a good security team and up-to-date compliance will be mostly locked down. Yes, they can probe systems to find vulnerabilities (automation has allowed them to work 24/7/365 to subvert filters), but that takes time and effort that doesn’t yield a rapid payoff.

End users, on the other hand, are an easier attack vector. With all the data available on the dark web through a litany of breaches, hackers can easily find any information they might need about you. Your email, phone number, job title, employment history, education, hobbies, family members, connections, and other tidbits can and will be used against you. It’s a safe estimate that 80% of everything about you is known (the remaining 20% doesn’t really matter at that point).

Social engineering has become about 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more.

– John McAfee

Here are some examples of what cyber criminals can do:

  • They can look at your LinkedIn account and send your work email a fake invoice in the hopes that you’ll click a link or download malware as an attachment.
  • They can send you unsolicited emails about packages you never ordered.
  • They can use data about who owns your property from a county clerk’s offices combined with your phone number to try to trick you with a “mortgage verification” scam.

Beyond those instances, hackers are asking themselves, “How can I manipulate this person into typing their username and password or tricking them into hitting multi-factor authentication (MFA) by calling them.”

The answer mostly is to try to exhaust everyone with phishing, spear phishing, smishing, and other attacks in the hopes there’s a lapse in judgment. Hackers are doing this billions of times a day, so they only need a tiny fraction to succeed.

Worse yet, bad actors have even learned how to abuse security strategies to create exhaustion. Cyber criminals have engineered what is referred to as an MFA fatigue attack, where they repeatedly log in as a target user to repeatedly push second-factor authentication to email addresses, cell numbers, or registered devices. The hope is that someone will either obliviously approve the request from the start or accidentally do so after the umpteenth attempt.

Effective End User Security Requires a Change in Mindset

What can end users do to take a better security posture? We firmly believe there needs to be a holistic mindset shift.

There is no technology today that cannot be defeated by social engineering.

-Frank Abagnale

Frankly, we all need to approach life with a zero-trust mentality. We’re at the point where even the near-photorealistic images and videos we’re watching online might be the product of artificial intelligence. Every person, every piece of content, and every request needs to be verified as 100% authentic before you fulfill their request.

If you’re looking for some specific guidance, here’s what we recommend to our users:

Apply Vigilant Scrutiny

Every message that enters your inbox (that you don’t delete outright) should be inspected with detail. Even with sophisticated filters and DMARC requirements, malicious emails can slip through the cracks. Though you won’t have to sift through as many fraudulent messages or scams, you still need to keep an eye out for the shrewd attackers.

Let’s return to some of the unsolicited messaging. Though hackers are persistent and increasingly leveraging AI-generated content, they’re still fairly transparent, if you subject any suspicious messages to cautious inspection. We all just need to condition ourselves to ask simple yet revealing questions before we take important actions.

Let’s return to the invoice. Ask yourself:

  • Am I expecting to receive this?
  • Is this from an email address I expect to receive this message from?
  • Are any links sending you to reputable sites? Whenever possible, you should avoid clicking links.
  • Are any of the characters, logos, or sentences odd? (

Better yet, it’s important to consider if a request via email or text would even be feasible to expect. If you’re receiving requests from Microsoft or your IT team to reset your password when you didn’t initiate a reset, you can disregard that. It’s 99.9% likely it’s a scam (if you hover over the link, you’ll see them sending you to an unofficial website.

Reduce What’s on Your Systems

One of the fundamental approaches to security has always been to create as few doors as possible for hackers to open into your system. How many doors does a vault have? One (with maybe an escape hatch)?

With that in mind, you want to minimize the number of apps on your work devices and devices on your work systems. That goes for users as well as system administrators. For starters, reevaluate any freemium apps you’re using on work devices. When you’re not paying for a user’s license, you’re the product and your data is likely free game (always dissect the user agreement).

At w3r Consulting, we use as few vendors as possible and have applications as tightly integrated as possible. The reason is that if it’s not there, it can’t be abused. Those within the w3r.com domain can talk to pre-established domains, but when a new domain tries to contact ours, that connection is heavily scrutinized.

It’s important to remember that every line of code and function is potentially abusable. The more you give, the more you risk. Keeping that in mind can save you from breaches in the future.

Collaborate with Your Cybersecurity Team

When in doubt, reach out to your cybersecurity team. They’re going to be happier providing you with input and answers rather than trying to recover from a data breach in the future. Your cybersecurity team can deflect some of these threats (sometimes, they want to avoid false positive), but they can confirm your suspicions if you think an attack-in the-making is occurring.

If you have potentially made a mistake and exposed the system to bad actors, you need to interact with your cybersecurity team as quickly as possible. Given enough time, they can revert to backups, preventing the worst-case scenario from happening. At w3r Consulting, we create daily backups that are then air gapped from any network, meaning there’s no internet connection and updates are made manually. Short of an EMP, we’re not going to lose data.

The Big Picture

Humans are pattern-detecting machines, so applying some of that scrutiny to end user security practices isn’t an impossible ask. Does it require alertness and vigilance? Yes, but taking security seriously now can prevent financial, personal, and reputational losses in the future.

If you choose to work with a cybersecurity partner, make sure it’s one that never sacrifices security for ease. w3r Consulting treats our data and those of our clients like we’re Fort Knox. Not only do we keep that data in the vault, but we ensure every employee knows how to spot someone who is trying to steal from you. When everyone works together, hackers need to work overtime to break through your defenses.

Are you looking for help with a cybersecurity assessment? Reach out to the w3r Consulting team and we can help to evaluate your system and end user security.

 

Let’s talk cybersecurity

 

 

 

Recent Articles

Improving HEDIS Measures: How to Optimize Your Member Engagement

It takes considerable effort for healthcare payers to distinguish themselves from the noise. Employers and consumers have a smorgasbord of healthcare plan options available to them. Without clear standardized metrics to compare the level of quality care, healthcare...

How to Recover from Nurse Burnout: 4 Tips to Help You Recharge

When we talk to nurses these days, there’s a bit more optimism than there was a few years back. They’re increasingly happier and more satisfied with their work, which is reassuring after the worst days of the pandemic. That said, there is still a fairly high number of...

How to Work with a Recruiter to Find and Secure Better Jobs

When you’re searching for a new job, it’s easy to feel very isolated. You apply for dozens of open positions, conduct a smattering of interviews, and mostly hear crickets. If you’re searching for about 21.2 weeks (the length of unemployment according to the BLS in May...

How to Improve Your Technical Resume & Stand Out From the Competition

How do you stand out when you’re competing with hundreds of other people for a single job? That’s the reality for IT professionals ever since job boards and social media platforms have simplified the application process. Yes, most applicants will be woefully...

Which Is Better for Your Career: Choosing Hybrid or Remote Work?

The pandemic proved that a little job flexibility is more than manageable. When organizations trust high-quality workers to do their jobs, they’ll get the work done. Better yet, remote appears to foster a greater sense of productivity, balance, and loyalty in...

w3r Consulting Wins Best and Brightest Metro Detroit

w3r Consulting, a best-in-class IT consulting and staffing firm, is thrilled to announce its recognition as one of Detroit's Best and Brightest Companies to Work For® in 2024. This is the fifteenth consecutive year w3r has won this prestigious award, which...

Share via
Copy link