Each October, Cybersecurity Awareness Month reminds companies of all sizes that their cybersecurity posture must be a priority in a world plagued by cyberattacks and malicious cybercriminals targeting vulnerable enterprises. According to a recent study, only 50% of small U.S. businesses have a cybersecurity plan in place, 32% haven’t changed their cybersecurity plan since the pandemic popularized remote and hybrid operations, and less than half of businesses feel that they are financially prepared to handle a cyberattack in 2022. Additionally, 20% of cyberattacks in 2022 are a result of social engineering.
This year’s theme for Cybersecurity Awareness Month was “See Yourself in Cyber” — highlighting that while cybersecurity may seem like a complex subject, ultimately, it’s really all about the people. Keeping this theme in mind, we as an industry need to understand and acknowledge that in order to protect against targeted attacks that organizations continue to experience in a time of remote and hybrid work and ever-evolving phishing tactics, companies must take the first step by protecting their employees’ web browsers.
Browsers have become the main work and productivity application for today’s employees. The growth of remote work is driving the increased use of browsers for business tasks. Globally, 16% of companies are fully remote, while about 62% of workers aged 22 to 65 claim to work remotely at least occasionally, according to a recent study. Policy infringements by employees and attacks by hackers have turned the browser into the most serious threat to businesses. Organizations should prioritize securing their employees’ browsers against exploits (including zero-days), social engineering attacks (including spear phishing), web application vulnerabilities (such as CSRF/XSS) exploitation, and other web-based attacks. Web application attacks alone, are involved in 26% of all breaches, making them an extremely popular attack vector.
The wrong link can compromise a browser, allowing the attacker to steal sensitive data without needing access to your machine or network. In order to determine if a website or link is trustworthy or not, businesses also need to be able to examine the structure and behavior of web pages. Businesses require a system that enables them to analyze real-time telemetry in order to detect and prevent threats without depending on any external feeds. Recently, we have seen countless organizations targeted with phishing tactics distributing malicious links, including the Microsoft Sway phishing attempt, and election workers in Arizona and Pennsylvania faced with an onslaught of malicious emails earlier this month. Companies also need to be aware of “browser in the browser” attacks which make phishing almost invisible.
In sticking with this year’s theme of the people, neither a tool nor a high degree of education can stop a user from visiting a dangerous link— users can only be safe with the proper understanding of social engineering attacks and full protection of the browser.