The most common vulnerability (sitting in your chair right now)
How many times do you click something on an average day? For me, it’s likely in the thousands. This represents a massive, persistent, and frequently-exploited security gap: you.
Social engineering attacks are on the rise, especially highly-targeted ‘spear phishing’ towards SaaS super admins: CTOs, IT admins, and most recently seen in the Okta hack, customer support.
Hacker groups can easily search public repos for exposed credentials, or purchase compromised databases with target users’ email addresses. With the rise of AI-enabled tools like voice generators, translators, and LLMs, spear phishing attacks are getting cheaper, easier, and harder to spot.
While zero-day exploits are fascinating to read about, it’s far more likely that someone in your organization will be phished with something like a simple email that redirects to a compromised site controlled by a bad actor, and off your credentials go.
While I’ll never claim to have all the answers (anyone selling you an all-in-one guaranteed cybersecurity trick is also likely selling snake oil), the situation is not helpless.
To quote the phishing pioneer himself, Kevin Mitnick: Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.
How to secure the weakest link, aka you:
- Invest in employee awareness training, continuous monitoring, and multi-factor authentication.
- Scrupulously enforce the least principle privilege: if there’s a way for you to do your job without access to a system, you don’t need access to that system.
- Ensure your disaster recovery plans always include a platform-independent backup of all essential data, SaaS or otherwise.
You can’t stop your colleagues’ clicks, but improving your SaaS security posture limits the potential for damage to your data– and reputation.