Your boss may respect work-life boundaries, but cybercriminals don't. Bad actors are increasingly targeting employees in social engineering scams that originate on their personal networks, with the ultimate goal of compromising the workplace. This year, chief information security officers (CISOs) should focus on how they can defend and protect employees beyond the walls of corporate systems.
Large high-profile tech companies are the most recent in a long line of organizations that have fallen victim to social engineering attacks. In 2023, there are bound to be more. Social engineering will be the leading root cause of major cyberattacks for the foreseeable future, for two reasons: They're cheap to execute, and they actually work. When one path — such as corporate email — becomes more difficult, attackers shift to other communication methods, including employees' personal platforms like texts, social media, or LinkedIn profiles. In fact, according to recent Tessian data, 56% of employees said they received a text message scam in the past year.
It's clear that security needs to extend outside of corporate walls, but there's an important balance that security leaders must strike to respect boundaries on employees' personal accounts and devices. Here's what should be top of mind when building a strategy to cover risks outside of the security team's reach.
Social Engineering Attacks Have Moved to Personal Channels
While corporate email has historically been the main channel for social engineering scams, a combination of cybersecurity tools, strategies, and awareness training has made it more difficult for attackers to break through. As a result, attackers are moving to personal channels that aren't as well protected.
In last summer's major Twilio breach, attackers targeted employees through their personal phone numbers and sent text messages posing as Twilio's IT department, rather than the traditional method of sending messages to a corporate email address. The text messages instructed employees to log in to a fraudulent Twilio website, which attackers then used to harvest employee credentials and breach the company's internal systems. Targeting personal devices can be especially effective, because people tend to give their phone numbers away less often than their email addresses, so there's a higher level of trust when receiving a text message that impersonates an employer.
How to Protect Employees Outside of the Workplace
De-shaming security mistakes and taking the blame and punishment out of incident reporting can strengthen security efforts both inside and outside of the workplace. Leaders should create a security culture where employees are encouraged to flag mistakes and suspicious activity, even if a personal account is breached on a company computer.
It's difficult for many employees to find and access simple, actionable steps to improve personal information security. There's a strong opportunity for security teams to provide curated resources to help employees, including arming them with resources to help their friends and family as well.
For example, some enterprise security vendors, including several password managers, provide employees with free personal versions of their tools as part of their B2B business. Another tactic is to develop an internal list of resources available to employees to help protect them in their personal lives. This can be quite efficient for improving the overall security of the workforce.
How to Respect Employees' Personal Boundaries
Trust is a crucial part of security. IT and security teams must respect boundaries when it comes to employees' personal devices and accounts.
Being predictable and transparent is key to building trust and increasing engagement with employees. Having well-defined security support processes, including examples, can help employees know exactly what will happen when they reach out for support at work, or for support outside the workplace. For example, if an employee needs help with targeted phishing emails in their personal email, knowing ahead of time that the security team will not ask for remote access to their personal devices can increase their confidence and trust when they reach out for help.
One strategy that's worked quite well for my teams is to maintain a "transparency page" that provides high-level information about internal security practices such as logging and monitoring on laptops and other corporate systems. This way, employees are not surprised and can make informed, safe choices about personal data and usage (within the acceptable use policy, of course).
Attackers will continue to evolve their social engineering strategies and cross whatever boundaries it takes to successfully execute a breach. Even when corporate systems and devices aren't the initial source of an attack, these tactics can compromise company systems, credentials, and data. Security teams must continue to evolve their strategies and expand their reach while respecting the personal privacy of employees and maintaining crucial trust.