October 2, 2019 By Mike Elgan 3 min read

Let’s talk about the “people problem.” Cybersecurity defenses and cyberattack methods are evolving rapidly, but human beings, not so much. This is why nearly all cyberattacks are now based on exploiting human nature.

This month, Proofpoint made the stunning claim that more than 99 percent of attacks observed by their researchers required human interaction. These social engineering interactions include clicking a link, opening a document, enabling a macro, opening a file and others. Of course, security and IT specialists need to focus on perimeter defenses, patching vulnerabilities and myriad other systems for digital defense. But how do you stop users from holding the door open for cyberattacks?

For criminals, targeting people makes sense. It’s faster, easier and more profitable than targeting systems. Attackers exploit human nature with diversionary tactics, such as creating a false sense of urgency or impersonating trusted people. And, of course, individual people with different personalities vary on the degree to which they may fall prey to social engineering manipulation.

Attackers are going after low-hanging fruit, too. So-called “very attacked people” and their email addresses are typically available on company websites and social media, or are easily discoverable via web search. Favored targets include education, finance, advertising and marketing companies, but criminals are also exploiting industries with complex supply chains, such as the automotive industry.

Why Good People Make Bad Security Choices

One problem, unsurprisingly, is that many employees in your organization simply don’t know enough about how social engineering attacks work to defend themselves. This problem is exacerbated by the dynamism of social engineering methods; they’re constantly changing, and users (who have other things to focus on) simply can’t keep up.

Part of the reason is that they’re undertrained. According to Chubb’s “Cyber Risk Survey 2019,” less than one-third (31 percent) of employees receive annual, companywide training from their organizations.

A lack of knowledge and awareness among the people in your organization is one problem. The opposite is also a problem. Because of the frequency and intensity of attempted cyberattacks that exploit human nature, cyberattack fatigue can set in, where users grow resigned and impassive about security.

Cyberattack fatigue is extremely common, and tends to result from users feeling overwhelmed by the challenge of cybersecurity. They feel like cybersecurity is beyond their control, so they develop a sense of fatalism and stop trying. Users might use the same bad password for multiple accounts, click on random attachments and generally act like they don’t know better.

Attackers can also profit from the prevalence of decision fatigue, whereby after making hundreds of decisions all day, employees tend to stop caring so much about making the right decision. Sometimes attackers specifically launch attacks late in the workday for this reason.

How to Build a More Secure User

It’s tempting to see rank-and-file employees as the problem — but it’s better to see them as part of the solution. It’s also tempting to take away their ability to make bad choices, to restrict what they can do. However, it’s often better to empower them with the knowledge and the tools to make good choices.

Here are some steps your organization can take to turn the people problem into the people solution:

  • Take a people-centered and holistic approach to cybersecurity that involves effective security awareness training combined with better user tools. Focus on empowering users to take control of their own ability to avoid cybersecurity malpractice, and to feel like a partner with IT in preventing cyberattacks.
  • Identify, and focus on, the very attacked people in your organization. Do the same kind of research threat actors are doing by searching for the people associated with your organization on search engines and social media, and collect all the email addresses listed on your organization’s website. Assume these email addresses are going to be heavily exploited targets. Raise urgency and awareness by occasionally contacting very attacked people in your organization and letting them know they are targets.
  • Pay special attention to emails that contain words in the subject line commonly used by attackers, such as “payment” and “urgent.” Track trends in social engineering attacks and employ that knowledge in both training and monitoring.
  • Keep cybersecurity training fresh and interesting to maintain the interest of users. Conduct simulated red team attacks, which not only raise awareness, but psychologically gamify cybersecurity, inspiring users to rise to the challenge of acting as a partner in the organization’s security defenses.
  • Create security awareness training around not only past and current threats, but also future ones, such as the coming wave of deepfake audio attacks. It’s only a matter of time before phone-based social engineering attacks will involve impersonated leaders in individual organizations — say, the CEO — requesting passwords and other compromising information.
  • Reduce the attack surface by implementing an application whitelisting system that enables only known and approved applications.
  • Give users the tools they need to avoid security mistakes. For example, provide secure file transfer alternatives to email attachments, such as enterprise file sync and share (EFSS) tools and stronger encryption tools.

It’s a fact of life that nearly all cyberattacks attempted against your organization will be enabled by human interaction. The attack surface is substantially made out of people, and that means your defense should also be substantially made out of people. Start today by getting everyone more involved, empowered and provisioned.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today