Despite increased investment in cybersecurity, data breaches cost businesses an average of $4.35 million in 2022, according to AAG, an IT support services company.
Amir Tarighat, digital privacy expert and CEO of cybersecurity company Agency, says that cybercriminals have increasingly turned their attacks to the personal devices of employees to gain access to employer data. As a result, managing employee-targeted digital risk is crucial for any organization serious about data privacy.
We recently connected with Amir for insights on the changing cybersecurity landscape, employee-targeted digital risk, and changes organizations need to make to protect their business in 2023.
Here’s what he had to say.
Can you talk about the changing cybersecurity landscape and how organizations can adapt to it?
AT: In the last decade, businesses have started to prioritize cybersecurity. Corporate devices and networks have become increasingly well-hardened, benefitting from a veritable army of professionals and cutting-edge technology. But as the enterprise cybersecurity ecosystem grows, defending against hackers better than ever before, cybercriminals have begun targeting a vulnerable target to access company data: the personal lives of individual employees. Individual employees are being targeted for three reasons:
- Enterprise security processes from software, experienced and trained security teams, cyber insurance, audited frameworks, and security questionnaires have all become more mainstream and common within businesses.
- As applications and services have moved to the Cloud, threats have shifted from attacks on infrastructure to attacks on access controls. This has given rise to things like identity management and zero trust.
- Most individuals do not have good cybersecurity in their personal lives. In 2023, the most significant cybersecurity themes companies will face will revolve around threats coming from Employee-Targeted Digital Risks.
What is employee-targeted digital risk and can you discuss the importance of managing it?
AT: Employee-Targeted Digital Risk (ETDR) can be defined as organizations’ attack surface exposed via team member devices, accounts, and digital lives. While businesses have invested in enhanced cybersecurity defenses to protect company-owned devices and networks, individual employees often do not have a comparable level of protection. And employers are feeling the effects – in 2022 alone, employee data breaches resulted in costly cyberattacks on major names like Microsoft, Cisco, and Uber.
Most people don’t spend any money on cybersecurity, and those that do tend to purchase passive countermeasures like VPNs and antivirus, which don’t represent how active, comprehensive cybersecurity is done by professionals. As a result, their cell phones, laptops, tablets, and even smartwatches, are left vulnerable, creating the perfect storm for criminal hackers to target employees to attack the organizations they work for.
Without an effective strategy to manage employee-targeted digital risk, cybercriminals can use anything from stolen passwords on the Dark Web, personal information from data brokers, and complex malware and phishing campaigns to gain access through employees to valuable company data and systems. As cybercrime continues to increase, its cost is expected to reach $10.5 million by 2025, taking an enterprise-level approach to employee cybersecurity is no longer an option for employers – it’s a necessity.
What changes will businesses need to make to protect their data in 2023?
AT: There are a few things that they can do:
Introduce strong BYOD policies. Implementing a policy that monitors and protects the personal devices under an organization’s tech umbrella can turn its greatest cyber risk into its strongest cyber defense. A BYOD – or “Bring Your Own Device” – policy sets out the rules for which employees can use personal devices to access company systems like email and Slack. While some businesses already have these policies in place, most utilize weak cybersecurity measures that can annoy users and violate their privacy. In 2023, the key to successful BYOD programs will be providing employees with real, professional-grade cybersecurity measures that they can use in their personal and professional lives.
Invest in cybersecurity insurance. Working with a third-party cybersecurity company is one of the best ways to anticipate and respond to a cyberattack. Most cyber insurance carriers will also provide resources to help quickly minimize damage. The importance of having an incident response plan in place cannot be overemphasized. A good incident response plan would include the responsibilities of each member of the team and each step that should be taken.
Utilize physical security keys. One of the first, and most important, steps employers should take to protect their data is requiring multi-factor authentication (a system that requires users to present a combination of two or more credentials to verify their identity for login). Unfortunately, not all multi-factor authentication methods are created equal.
For example, you may choose to implement a program that sends a code to your employee via text. But if that employee’s phone doesn’t have adequate cybersecurity protections turned on, criminals can hack into the device using a variety of methods, compromising the individual’s login credentials. A physical security key is the most secure form of multi-factor authentication because it goes further than most other methods, adding a third layer of authentication that blocks bad actors from accessing files, data, sensitive information, etc. if they don’t have the actual, physical key.