Features, Insight, Opinion

How organisations can detect and respond to compromised employee identities

By Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint

Identity theft is a growing threat in today’s digital landscape. Threat actors understand that people hold access to an organisation’s most critical data, and that many can easily be tricked into unknowingly putting the security of their organisation in jeopardy.

Many of today’s attacks rely on compromised identities, including ransomware. Instead of hacking in through technical controls, threat actors now realise it’s more effective to steal credentials and log in. Unfortunately, due to the hard-to-detect nature of these attacks, most organisations are unaware of this risk.

It usually begins with stealing access details from one employee, then moving to compromising servers and endpoints, and downloading sensitive organisational data. When an attacker first lands on a host, it’s very rarely their end target, so they must escalate privilege, and move laterally to achieve their objectives.

When looking at this growing security risk, it’s important for organisations to remember that email remains the most common point of entry for cybercriminals, regardless of their end goal. Proofpoint’s 2023 State of the Phish report revealed that among the UAE organisations that experienced an attempted phishing attack in 2022, 86% of these were successful. Of these successful attacks, 26% resulted in credential theft and/or account compromise, where employees invertedly expose their credentials, giving threat actors access to sensitive data and their business accounts.  In addition, 64% of UAE organisations experienced an attempted an email-based ransomware attack in the past year, with 70% suffering a successful infection.

To add to this challenge, Proofpoint data shows 28% of employees in the UAE re-use passwords for multiple work-related accounts, which can in turn jeopardise all related accounts if just one is compromised. Risky employee actions such as this can prove problematic for organisations. In fact, 72% of UAE organisations reported they have experienced data loss due to an insider’s action in 2022 (and not all insider actions are malicious).

To combat the growing challenge of compromised employee identities, organisations must look at the entire attack chain as part of an effective threat protection strategy.

The first step is to stop the initial compromise in the first place. This is where a robust email security strategy is crucial. From Business Email Compromise (BEC) attacks, cloud account takeover or cybercriminals using trusted third parties to compromise the organisation through their supplier, an initial email can lead to compromise. Attackers often pose as someone their victims trust and trick them into making fraudulent financial payments. These can include gift card scams, payment redirect, and supplier invoicing fraud. After initial compromise, they have access to your domain, giving them access to email accounts and the ability to commit fraud.

Through a technical combination of email gateway rules, advanced threat analysis, email authentication, and visibility into cloud applications, organisations can block the majority of targeted attacks before they reach employees.

Organisations must also implement technology to identify and respond to compromised users and remove what attackers need to complete their crime: privileged account access. A unique approach to identity threat detection and response (ITDR) will help organisations remediate privileged identity risks and understand the potential ramifications of compromise, such as access to critical data and intellectual property.

However, as with all threats, a combination of people, process and technology is crucial.  Security is a shared responsibility, and people at all levels within an organisations must be empowered enough to understand security and the risky behaviours that can lead to breaches.

According to Proofpoint data, over 99% of cyber threats require human interaction to be successful. When people are that vital to an attack, they need to be a vital part of an organisation’s defence. Training and awareness programs are crucial, but one size does not fit all. Organisations must ensure that the programs are tailored to the user – so they must be relevant to their work and personal lives.

Organisations in the UAE stand out in this regard. According to Proofpoint’s 2023 State of the Phish report, 74% of UAE organisations train employees on security topics that explicitly target their organisation, which is higher than the 14 other countries in the study. Further, 64% of UAE organisations train ALL of their employees. This is very encouraging but organisations must remember that cyber awareness and training is an ongoing program rather than a one-off check-the-box exercise to prevent future attacks.

Cybercriminals spend day and night trying to penetrate your networks, systems, and data. The least we can do is make them work a little harder.

Previous ArticleNext Article


The free newsletter covering the top industry headlines