Recently, SecurityAdvisor published a research report entitled, “2021 Report: Human Risk in Cybersecurity,” based on the analysis of more than 500,000 malicious emails targeting senior leaders, mid-managers, and entry-level employees, as well as IT, finance, human resources, and legal teams. A large portion of these attacks utilized various psychological tricks to fool retail workers – including administrators and in-store staff – into sharing credentials and other sensitive information, including payment information. Cybercriminals have noticeably increased their efforts to steal corporate data, as evidenced by a new report that shows malware increased by 358% and ransomware by 435% in 2020. The rise in malicious activity is a contributing factor in Cybercrime Magazine’s prediction that cybercrime will cost businesses $10.5 trillion by 2025.
Although all industries and organizations can fall victim to cyberattacks, retail organizations are often targeted because of their access to large amounts of payment information and their decentralized workplace. Cybercriminals focus their efforts on employees rather than attempting to discover a critical vulnerability within an organization’s tech stack. Office workers and frontline employees are susceptible to various psychological tricks due to stress, distractions, or even boredom if brick-and-mortar locations have low foot traffic.
Our team discovered that the three most common tactics hackers use against retail employees are:
- Halo Effect: Refers to the tendency of an individual to have a positive impression of a person, company, brand, product, or service. In this type of attack, a cybercriminal pretends to be a trusted entity known to the target individual, such as Microsoft or other software vendors the organization uses.
- Curiosity Bias Also referred to as the Pandora effect, taken from the Greek mythology of Pandora’s box based on humans’ inherent desire to resolve uncertainty. When facing something uncertain, they will act to resolve the uncertainty even if they expect negative consequences. This included emails urging targets to register for virtual conferences or to take advantage of a special offer.
- Hyperbolic Discounting: This bias refers to the inclination to choose immediate rewards over rewards that come later or a “too good to be true” deal. Hospitality employees frequently receive email offers for discounted services for “a limited time.”
CISOs must match their adversaries’ focus on workers to prevent data breaches. Improving employees’ ability to identify and remediate sophisticated cyberattacks is vital. Surveying the workforce is a great way to understand the human element of an organization’s security posture, including identifying high-risk users. Once these gaps in security knowledge are identified, the organization can close them with a layered approach that incorporates technology and coaching.
Generic security training is proven ineffective, so security leaders should take a personalized coaching approach to education that aligns with workers’ schedules. Many retail workers have non-traditional schedules, so gathering everyone in a room during the day likely isn’t possible. Instead, organizations should deliver contextual learning content to workers – both administrative and frontline – based on their real-life online behavior. These “teachable moments” enhance employees’ ability to retain knowledge without asking them to disrupt their workday. Sharing consistent, positive feedback with individuals generates positive online behavior changes over time.
Retailers must understand the value of their customers’ financial information to cybercriminals and implement a sound security strategy to prevent breaches. Data breaches lead to compliance fines, erode customer trust, and have other harmful long-term effects on the brand. An organization’s main line of defense lies in its employees’ ability to identify and remediate cyberattacks efficiently.
Download the report to learn more.
