Global Resident Chief Information Security Officer (CISO) for Proofpoint.
We live in a digital world where data is the new currency for both businesses and cybercriminals. Many online service providers collect massive amounts of consumer data—and threat actors can use this data to breach your organization.
Even an attack on a consumer service may have dangerous implications for your business. You need to understand what kind of data is collected by the digital tools that your employees use and how this data creates cybersecurity risks for your organization.
Your Employees’ Data In The Marketplace
Every day, consumers—including your employees—exchange their privacy for online services and apps. Social media, video and music streaming services, search engines, mobile communication platforms—all these companies collect vast amounts of information ranging from personal and payment details, GPS location and browsing habits to technical details such as browser cookies, device ID and IP addresses. Some of these services dig deep into consumers’ profiles, collecting details like race or ethnicity, religious beliefs, political orientation and shopping preferences.
Mostly, the platforms need the collected data to deliver and improve their services. Specifics such as browser or device information, for example, are necessary to prevent fraud, allowing websites to use that information to identify legitimate users. And for free online services, monetizing user activity and private info such as browsing habits allows them to derive income that supports those services.
So why should your organization be concerned if employees share their personal information with the commercial or social services they consume on their own time? In today’s interconnected world, employees’ personal and work lives intertwine. Your employees’ data that exists in the marketplace gives threat actors a lot of leverage against your organization and leaves it vulnerable to attacks. It's critical to implement effective protection against these vulnerabilities.
How Bad Actors Leverage Data
It may be hard to wrap our heads around the unprecedented volumes of personal information at cybercriminals’ disposal. But we can get an idea by looking at data compromises that occur every year. For example, the U.S. had a record-breaking 1,862 data compromises in 2021, or a 68% increase over 2020, according to findings from the Identity Theft Resource Center.
Compromised records eventually make their way to the dark web, where they're freely available at commodity prices. Bad actors cull personal information from these records, supplement it with details they find on social media and use this intel to launch targeted email phishing attacks. Because the attackers can customize the messages based on what they learn about the targets, the emails appear more genuine and are more likely to compel the recipients to act, whether that's opening an attachment containing malware or clicking on a link that harvests their credentials.
A single employee action—one careless click—is all it takes for attackers to gain a foothold in your organization, then move laterally until they achieve their ultimate intent. The Australian hedge fund Levitas Capital is one example. A fake Zoom invite link sent to the company’s cofounder resulted in the company paying $8.7 million in fraudulent invoices. Levitas went out of business shortly afterward, blaming the decision on the irreparable damage from the attack.
Implications For Your Organization
Proofpoint’s research shows that the success rate of phishing attacks is growing. The results of our State of the Phish study found that 83% of surveyed organizations experienced at least one successful email phishing attack in 2021, compared to only 57% the year before. Attackers increased their focus on compromising people rather than systems, with the survey revealing an 18% year-over-year increase in business email compromise attacks.
Threat actors will be successful at compromising organizations for as long as phishing remains a highly effective technique. According to the findings published in the annual Verizon Data Breach Investigations Report (DBIR), phishing has been the leading action involved in data breaches in the last two years. The DBIR results also found that 85% of breaches involve human action, further emphasizing the point that people-centric threats have huge implications for any organization.
Defending Your Human Element With Awareness
The costs of breaches have also been growing. According to the findings reported in IBM’s Cost of a Data Breach Report 2021, the average cost increased by the largest margin in 17 years, from $3.86 million in 2020 to $4.24 million in 2021. Expanding regulatory requirements contribute to this trend.
The European Union’s General Data Protection Regulation (GDPR), which is approaching its fourth year since coming into effect, continues to be the gold standard for privacy regulation. In the U.S., California led the way in passing the first GDPR-like regulation, the California Consumer Privacy Act (CCA). This was followed by a significant amendment—the California Privacy Rights Act (CPRA). Last year, Virginia and Colorado also passed similar privacy regulations.
This year is off to an active start in the cybersecurity and privacy regulatory landscape. So far, Utah has passed the Consumer Privacy Act, and the SEC has proposed new cybersecurity rules. The Asia-Pacific region has been quite active as well, with several country-level data privacy acts under consideration. And at the end of last year, China passed the Personal Information Protection Law (PIPL), the fastest law to go into effect after enactment. With only a few months’ notice, organizations had to scramble for compliance.
Considering data collection practices by consumer tech companies, threat actors leveraging that data to compromise organizations and a continuously morphing regulatory landscape, the best way to protect your company against the single mistake of an unwitting or careless employee is through communication. Educate your people about the breadth of information that online services collect about them directly and indirectly, and how that affects not only their personal privacy but your entire organization.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on LinkedIn. Check out my website.
Lucia Milică Global Resident Chief Information Security Officer (CISO) for Proofpoint. Read Lucia Milică's full executive profile here.