October 2, 2019 By Mike Elgan 3 min read

Let’s talk about the “people problem.” Cybersecurity defenses and cyberattack methods are evolving rapidly, but human beings, not so much. This is why nearly all cyberattacks are now based on exploiting human nature.

This month, Proofpoint made the stunning claim that more than 99 percent of attacks observed by their researchers required human interaction. These social engineering interactions include clicking a link, opening a document, enabling a macro, opening a file and others. Of course, security and IT specialists need to focus on perimeter defenses, patching vulnerabilities and myriad other systems for digital defense. But how do you stop users from holding the door open for cyberattacks?

For criminals, targeting people makes sense. It’s faster, easier and more profitable than targeting systems. Attackers exploit human nature with diversionary tactics, such as creating a false sense of urgency or impersonating trusted people. And, of course, individual people with different personalities vary on the degree to which they may fall prey to social engineering manipulation.

Attackers are going after low-hanging fruit, too. So-called “very attacked people” and their email addresses are typically available on company websites and social media, or are easily discoverable via web search. Favored targets include education, finance, advertising and marketing companies, but criminals are also exploiting industries with complex supply chains, such as the automotive industry.

Why Good People Make Bad Security Choices

One problem, unsurprisingly, is that many employees in your organization simply don’t know enough about how social engineering attacks work to defend themselves. This problem is exacerbated by the dynamism of social engineering methods; they’re constantly changing, and users (who have other things to focus on) simply can’t keep up.

Part of the reason is that they’re undertrained. According to Chubb’s “Cyber Risk Survey 2019,” less than one-third (31 percent) of employees receive annual, companywide training from their organizations.

A lack of knowledge and awareness among the people in your organization is one problem. The opposite is also a problem. Because of the frequency and intensity of attempted cyberattacks that exploit human nature, cyberattack fatigue can set in, where users grow resigned and impassive about security.

Cyberattack fatigue is extremely common, and tends to result from users feeling overwhelmed by the challenge of cybersecurity. They feel like cybersecurity is beyond their control, so they develop a sense of fatalism and stop trying. Users might use the same bad password for multiple accounts, click on random attachments and generally act like they don’t know better.

Attackers can also profit from the prevalence of decision fatigue, whereby after making hundreds of decisions all day, employees tend to stop caring so much about making the right decision. Sometimes attackers specifically launch attacks late in the workday for this reason.

How to Build a More Secure User

It’s tempting to see rank-and-file employees as the problem — but it’s better to see them as part of the solution. It’s also tempting to take away their ability to make bad choices, to restrict what they can do. However, it’s often better to empower them with the knowledge and the tools to make good choices.

Here are some steps your organization can take to turn the people problem into the people solution:

  • Take a people-centered and holistic approach to cybersecurity that involves effective security awareness training combined with better user tools. Focus on empowering users to take control of their own ability to avoid cybersecurity malpractice, and to feel like a partner with IT in preventing cyberattacks.
  • Identify, and focus on, the very attacked people in your organization. Do the same kind of research threat actors are doing by searching for the people associated with your organization on search engines and social media, and collect all the email addresses listed on your organization’s website. Assume these email addresses are going to be heavily exploited targets. Raise urgency and awareness by occasionally contacting very attacked people in your organization and letting them know they are targets.
  • Pay special attention to emails that contain words in the subject line commonly used by attackers, such as “payment” and “urgent.” Track trends in social engineering attacks and employ that knowledge in both training and monitoring.
  • Keep cybersecurity training fresh and interesting to maintain the interest of users. Conduct simulated red team attacks, which not only raise awareness, but psychologically gamify cybersecurity, inspiring users to rise to the challenge of acting as a partner in the organization’s security defenses.
  • Create security awareness training around not only past and current threats, but also future ones, such as the coming wave of deepfake audio attacks. It’s only a matter of time before phone-based social engineering attacks will involve impersonated leaders in individual organizations — say, the CEO — requesting passwords and other compromising information.
  • Reduce the attack surface by implementing an application whitelisting system that enables only known and approved applications.
  • Give users the tools they need to avoid security mistakes. For example, provide secure file transfer alternatives to email attachments, such as enterprise file sync and share (EFSS) tools and stronger encryption tools.

It’s a fact of life that nearly all cyberattacks attempted against your organization will be enabled by human interaction. The attack surface is substantially made out of people, and that means your defense should also be substantially made out of people. Start today by getting everyone more involved, empowered and provisioned.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today