Men, Executives Pose Higher Cybersecurity Risk

When it comes to online behaviors, women are far safer than men, according to a wide-ranging survey from SecurityAdvisor.

Despite the fact that women made up 42% of the sample data, they account for 48% of the top safe users and only 26% of risky users. Men, on the other hand, account for 74% of risky users: A big driver of these risky behaviors stems from men’s and women’s online behaviors.

According to SecurityAdvisor’s data, men are more likely to visit dangerous adult websites, use P2P software and watch pirated content than women.

SecurityAdvisor analyzed more than 500,000 malicious emails and an additional 500,000+ dangerous website visits by enterprise employees in more than twenty countries. Employees range from entry-level to executives and operate across many industries, including health care, financial services, communications, professional services, energy and utilities, retail and hospitality.

“Our partner here, Kelley McElhaney from Berkeley University, noted that women are more aware of long-term ramifications of risky behaviors,” SecurityAdvisor CEO Sai Venkataraman said. “Also, society tends to tolerate failures by dominant groups better, hence men don’t fear the consequences or fear consequences less.”

He also pointed out that men, from an early age, are socialized to take risks and win, hence they are less afraid of a potential negative outcome and engage in riskier behaviors.

C-Level Executives are Prime Targets

SecurityAdvisor’s analysis also revealed that senior-level employees, including members of the C-suite, are targeted by phishers almost 50 times more than an average employee.

“Senior-level employees often have a more public profile,” Venkataraman said. “Hackers also seek out senior-level executives because they are more likely to have valuable and sensitive data. It’s easy to find out email addresses of senior employees and their designation and then target them.”

Hank Schless, senior manager of security solutions at Lookout, also noted that being able to impersonate an executive can make nefarious activities easier to carry out undetected.

“The attacker can influence less-senior employees to do things if they pose as an executive,” he added. “We’ve all received phishing emails, supposedly from our CFO, asking us to wire thousands of dollars immediately, but we know this is a red flag.”

If the threat actor can log in to the company’s Slack instance, for example, that direct outreach to other employees could likely increase the chance of a successful attack.

“This scenario is incredibly common, and highlights the need for organizations in any industry of any size to implement a security solution that takes a platform approach to securing all employee endpoints and access to any cloud or private apps,” he said. “Detecting anomalous behavior, regardless of the individual executing that behavior, can throw a red flag very early in an attacker’s activity and stop them before the damage is done.”

Individualized Risks

Venkataraman said when it comes to security awareness coaching, therefore, a “one-size-fits-all” approach is problematic, and alternative strategies should be considered.

“The biggest reason why a one-size-fits-all approach to security awareness is problematic is because risk varies by individual, department, tenure, designation and location,” Venkataraman explained. “Security awareness needs to be aligned to risk and solve the specific areas of exposure for the individual. Otherwise, it’s just a compliance check box and does not really add value.”

The flexibility of hybrid work environments also presents a significant cybersecurity challenge for security leaders.

As remote and hybrid work environments become a permanent fixture for many organizations, businesses increase their human attack surface.

In the absence of a physical office and an on-premises network, remote employees lose direct support from their organization’s IT teams, making them more susceptible to cyberattacks.

“Remote and hybrid work environments have contributed to a new normal where humans are arguably the largest attack surface for enterprises,” Venkataraman said. “Companies have also become much more liberal with their policies as devices are now shared by family members, more online access is needed, it’s harder to validate if emails and messages indeed came from co-workers.”

He also pointed out that the nature of work and risk has changed, calling traditional security awareness training “boring”, and noting employees are flooded with emails and training and do not really want to take one more training module.

“Employees are much more likely to engage with content that tells them why it is relevant for them, the risks that they face individually and with micro-content that is tailored for them,” Venkataraman said.

Role-Based Security Training

Heather Paunet, senior vice president at Untangle, also pointed out that while covering the basics, such as how to recognize phishing emails, works for the general audience in a company, there must also be cybersecurity training tailored to different roles within the company.

“By focusing on roles and departments, training can specifically address the tools and processes used, where there may be vulnerabilities and how to protect the network,” she said. “When training employees, it is also important to accommodate different learning styles (visual versus verbal) and to make it a continuous process as threats evolve.”

Paunet also pointed out that IT teams will need to understand the hybrid workplace model and its impact on network security to create plans and new safety protocols to keep their networks and employees safe as they rotate in and out of the office.

“The hybrid work model complicates network security as employees can bring threats from working at home back to the office and a controlled network,” she said. “Issues like employees not always using the VPN as they should, as well as less secure home networks, can provide entry points for cybercriminals.”

She explained this can lead to employees bringing malware that is hiding in their laptops, waiting to move onto the corporate network.

Meanwhile, employees may have also added unknown software and applications to help them while working from home.

“While helpful at home, they could prove dubious once on the network,” she said. “In addition, IT teams will need to audit devices to ensure that all applications have been updated and patched as staff may have been lax on this while working from home.”

Schless added that traditional security training now has to expand to cover all devices, including smartphones and tablets, as well as every SaaS, IaaS and private app those employees can access.

“In the employee’s eyes, they just want to get access to the data they need to get their job done, regardless of where it resides or how they get it,” he said. “Helping them understand the risks involved and safe practices in doing so is incredibly difficult.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy