Criminals had to change in the pandemic, too

Tom Allen
clock • 3 min read

And they're still iterating on their new tactics

The last year and a half has changed everything we once took for granted, from spending time with friends to how we interact with colleagues. And it's not just us - cyber criminals have had to change, too, presenting a new challenge for IT leaders.

Attackers were forced to adapt their tactics last year, raising their focus on targeting employees directly with social engineering attacks like phishing and smishing - a trend that is still ongoing now. It's much easier to fall for an impersonation when you're only talking to colleagues once or twice a day, after all.

At the same time, technical attacks have changed as well. Javvad Malik, security awareness advocate at KnowBe4, says:

"As many organisations have adopted cloud services to enable easier collaboration during remote working, we've seen not only more attacks against cloud services - either through account compromise or social engineering - but also the use of cloud services to host and launch attacks. There has also been the growing risk of misconfigurations in the cloud, which have unwittingly exposed many records."

Most modern companies use layers of security that attackers have to break through before a successful breach. While it's common to only think about the technical side of layered security, your employees are also one of those layers - and they often get a bad rep. That's not fair, argues Malik.

"Like any of the layers, we can expect some [people] to work better in some circumstances compared to others, but it is generally unfair to call humans the weak link. Rather, it's often poor architecture and design or lack of appropriate support to employees that contribute towards incidents."

Security awareness training is the "absolute minimum" companies should offer to employees. Ideally, they should go further, with processes and activities to change user behaviour, and eventually work towards creating a culture of security.

"When security becomes part of the organisational culture, it becomes easier to adopt and hold onto. That's not to say that mistakes won't happen, but employees will make better decisions, and be quicker to report where any errors are made or observed."

A security-first culture makes it much less likely that an attack will succeed, and can even help with spotting and responding to existing compromises that have sat in the network for some time. So-called low and slow attacks are difficult to find and present a very real danger.

"A low and slow attack can be more dangerous [than a fast attack] in the long run, because it allows criminals to understand the organisation and how it's set up. Data can be stolen, like intellectual property or information about upcoming projects or mergers and acquisitions. Organisations could be compromised for weeks or even months without even realising it.

"On the other hand, a cyber blitz can be effective at rendering systems and services unavailable and due to the public and highly visible nature, can lead to a reputational hit for the organisation."

Even with a culture that values and prioritises security, incidents can still get through. Technology solutions have their place, but Malik believes that training staff is the most cost-effective answer.

"When we look at the threats to organisations, social engineering is the number one root cause for the majority of attacks. This is despite having software and systems in place. Therefore, for these cases, training staff can be one of the most effective ways to reduce the risk. That way, the attack may change in their style, or the channel they use, but people will be more likely to spot and defend against it."

You may also like
MGM Resorts hackers deceived IT service desk with just a phone call


Okta issued a warning about hackers employing similar tactics

clock 18 September 2023 • 3 min read
Accidental exclusion exacerbating cyber's staffing problem

Careers and Skills

Many people who would excel in cybersecurity roles see no obvious way in, with those that do make it getting stuck in entry-level positions

clock 12 May 2023 • 4 min read
Former Head of Police National Cyber Crime Unit joins Cybersecurity Festival


Charlie McMurdie spent 32 years in the Met and built the Police Central e-crime Unit

clock 29 March 2023 • 2 min read
Most read

Cyber incident disrupts another UK university

25 February 2024 • 2 min read

Intel splits in two, signs deal with Microsoft

22 February 2024 • 7 min read

Cambridge University hit by DDoS attack

20 February 2024 • 1 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

IT Essentials: LockBit and load

IT Essentials: LockBit and load

They fought the law, and the law won - for now

Tom Allen
clock 26 February 2024 • 1 min read
Law enforcement takes down LockBit - updated

Law enforcement takes down LockBit - updated

NCA among the groups under 'Operation Cronos'

Tom Allen
clock 20 February 2024 • 2 min read
Microsoft's chief security advisor joins Cybersecurity Festival 2024

Microsoft's chief security advisor joins Cybersecurity Festival 2024

Sarah Armstrong-Smith will talk AI in security

Tom Allen
clock 19 February 2024 • 1 min read