Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

What are cybercriminals thinking? Inside the mind of a threat actor, the devil is in the details. Cybersecurity is composed of so many details that it's easy to miss some of them. For instance, even if you have all other employees protected, just one person not using two-factor authentication could put them all at risk.

Back in the day, a 99% success rate for security solutions was considered good. But the problem is that there's still a 1% chance of an attack getting through. To defeat that 1% chance, you must have layers of security. If you've got 10 layers of 99% success, you stack the odds in your favor that you will catch just about every security threat.

Defenses are getting more advanced, so threat actors will always search for the point of least resistance. In our day and age, that point is the human element. According to IBM, 41% of all cybersecurity incidents start with phishing as the initial attack vector. Fortunately, though, it's not all doom and gloom. By understanding the enemy, you can better prepare your organization against cyberattacks.

The State of Security: Understanding Where Threat Actors Look

Many threat actors are returning to the basics of social engineering by using information they get from data brokers. They're using basic phishing tactics to hook a target, because it avoids the automated cybersecurity tools and directly engages the individual human.

Cybercriminals rarely commit direct attacks against the designated target person. They typically find someone in the target's support system: an executive assistant, a spouse, kids, or the live-in grandmother. Whoever is the softest target in that support system will be the one who clicks a link. It doesn't matter if they have the latest, greatest security software update. Think of the Trojan horse story: A walled city's defenses were no match for a clever scheme that went right past all those defenses. In fact, the defenders opened the gates wide and unwittingly let the threat in.

Train the Company's Cyber-Spidey Senses

You have to develop a certain level of "Spidey sense" in employees, and it can be as simple as realizing that they need a second opinion before clicking a link. They don't have to be subject matter experts; they just have to know enough to recognize when they should ask someone else. After all, the Verizon "2024 Data Breach Investigations Report" notes that more than two-thirds (68%) of breaches analyzed included a nonmalicious human element, which involves insider errors or falling for social engineering schemes.

Part of developing this sense is looking for red flags in emails. While this may be getting harder with AI, there are still some obvious signs. Misspellings, odd phrasing, strange fonts, or out-of-character requests are all good indicators that something is amiss. For example, you would never get an email from your mom saying, "Hello, I need you to buy me gift cards." In addition, train employees to hover over the sender's name to see the email address. If the subject line says "Comcast," but the email address ends in "gmail.com," they can bet the email is a scam.

If a bad actor can access someone's packets by Wi-Fi sniffing or other means, the actor doesn't have to follow the person — they can just build out an electronic pattern of life and figure out where the target is going. That jeopardizes physical and digital safety. So, employees need to know not to connect to free Wi-Fi without a VPN and to turn Wi-Fi off when not using it.

People sometimes have the mistaken notion that they aren't targets for bad actors because they aren't famous and don't have a high net worth. But that's simply not the case today. Anyone with any online presence is a potential target to attackers. That means everyone needs to know their cyber hygiene.

Basic cyber hygiene is essential and easy. Steps to train employees on include:

All of these points can be taught and tested via ongoing training.

Outmaneuvering the Cybercriminals

Getting inside the mind of a threat actor can help security pros understand how they operate and what they're looking for — in essence, what makes a soft target. Criminals go after the low-hanging fruit, such as people who click on suspicious links. Your job is to harden all targets at your organization. 

One of the security layers needed to close that 1% gap mentioned earlier is ongoing cyber-hygiene training for all employees from the bottom to the top. This aspect of a full-spectrum security plan is crucial, as humans are typically the weakest link in the security chain. However, with the proper education and training, they can become a solid first line of defense that helps keep everyone in the organization safe.