And they're still iterating on their new tactics
The last year and a half has changed everything we once took for granted, from spending time with friends to how we interact with colleagues. And it's not just us - cyber criminals have had to change, too, presenting a new challenge for IT leaders.
Attackers were forced to adapt their tactics last year, raising their focus on targeting employees directly with social engineering attacks like phishing and smishing - a trend that is still ongoing now. It's much easier to fall for an impersonation when you're only talking to colleagues once or twice a day, after all.
At the same time, technical attacks have changed as well. Javvad Malik, security awareness advocate at KnowBe4, says:
"As many organisations have adopted cloud services to enable easier collaboration during remote working, we've seen not only more attacks against cloud services - either through account compromise or social engineering - but also the use of cloud services to host and launch attacks. There has also been the growing risk of misconfigurations in the cloud, which have unwittingly exposed many records."
Most modern companies use layers of security that attackers have to break through before a successful breach. While it's common to only think about the technical side of layered security, your employees are also one of those layers - and they often get a bad rep. That's not fair, argues Malik.
"Like any of the layers, we can expect some [people] to work better in some circumstances compared to others, but it is generally unfair to call humans the weak link. Rather, it's often poor architecture and design or lack of appropriate support to employees that contribute towards incidents."
Security awareness training is the "absolute minimum" companies should offer to employees. Ideally, they should go further, with processes and activities to change user behaviour, and eventually work towards creating a culture of security.
"When security becomes part of the organisational culture, it becomes easier to adopt and hold onto. That's not to say that mistakes won't happen, but employees will make better decisions, and be quicker to report where any errors are made or observed."
A security-first culture makes it much less likely that an attack will succeed, and can even help with spotting and responding to existing compromises that have sat in the network for some time. So-called low and slow attacks are difficult to find and present a very real danger.
"A low and slow attack can be more dangerous [than a fast attack] in the long run, because it allows criminals to understand the organisation and how it's set up. Data can be stolen, like intellectual property or information about upcoming projects or mergers and acquisitions. Organisations could be compromised for weeks or even months without even realising it.
"On the other hand, a cyber blitz can be effective at rendering systems and services unavailable and due to the public and highly visible nature, can lead to a reputational hit for the organisation."
Even with a culture that values and prioritises security, incidents can still get through. Technology solutions have their place, but Malik believes that training staff is the most cost-effective answer.
"When we look at the threats to organisations, social engineering is the number one root cause for the majority of attacks. This is despite having software and systems in place. Therefore, for these cases, training staff can be one of the most effective ways to reduce the risk. That way, the attack may change in their style, or the channel they use, but people will be more likely to spot and defend against it."