Let’s talk about the “people problem.” Cybersecurity defenses and cyberattack methods are evolving rapidly, but human beings, not so much. This is why nearly all cyberattacks are now based on exploiting human nature.

This month, Proofpoint made the stunning claim that more than 99 percent of attacks observed by their researchers required human interaction. These social engineering interactions include clicking a link, opening a document, enabling a macro, opening a file and others. Of course, security and IT specialists need to focus on perimeter defenses, patching vulnerabilities and myriad other systems for digital defense. But how do you stop users from holding the door open for cyberattacks?

For criminals, targeting people makes sense. It’s faster, easier and more profitable than targeting systems. Attackers exploit human nature with diversionary tactics, such as creating a false sense of urgency or impersonating trusted people. And, of course, individual people with different personalities vary on the degree to which they may fall prey to social engineering manipulation.

Attackers are going after low-hanging fruit, too. So-called “very attacked people” and their email addresses are typically available on company websites and social media, or are easily discoverable via web search. Favored targets include education, finance, advertising and marketing companies, but criminals are also exploiting industries with complex supply chains, such as the automotive industry.

Why Good People Make Bad Security Choices

One problem, unsurprisingly, is that many employees in your organization simply don’t know enough about how social engineering attacks work to defend themselves. This problem is exacerbated by the dynamism of social engineering methods; they’re constantly changing, and users (who have other things to focus on) simply can’t keep up.

Part of the reason is that they’re undertrained. According to Chubb’s “Cyber Risk Survey 2019,” less than one-third (31 percent) of employees receive annual, companywide training from their organizations.

A lack of knowledge and awareness among the people in your organization is one problem. The opposite is also a problem. Because of the frequency and intensity of attempted cyberattacks that exploit human nature, cyberattack fatigue can set in, where users grow resigned and impassive about security.

Cyberattack fatigue is extremely common, and tends to result from users feeling overwhelmed by the challenge of cybersecurity. They feel like cybersecurity is beyond their control, so they develop a sense of fatalism and stop trying. Users might use the same bad password for multiple accounts, click on random attachments and generally act like they don’t know better.

Attackers can also profit from the prevalence of decision fatigue, whereby after making hundreds of decisions all day, employees tend to stop caring so much about making the right decision. Sometimes attackers specifically launch attacks late in the workday for this reason.

How to Build a More Secure User

It’s tempting to see rank-and-file employees as the problem — but it’s better to see them as part of the solution. It’s also tempting to take away their ability to make bad choices, to restrict what they can do. However, it’s often better to empower them with the knowledge and the tools to make good choices.

Here are some steps your organization can take to turn the people problem into the people solution:

  • Take a people-centered and holistic approach to cybersecurity that involves effective security awareness training combined with better user tools. Focus on empowering users to take control of their own ability to avoid cybersecurity malpractice, and to feel like a partner with IT in preventing cyberattacks.
  • Identify, and focus on, the very attacked people in your organization. Do the same kind of research threat actors are doing by searching for the people associated with your organization on search engines and social media, and collect all the email addresses listed on your organization’s website. Assume these email addresses are going to be heavily exploited targets. Raise urgency and awareness by occasionally contacting very attacked people in your organization and letting them know they are targets.
  • Pay special attention to emails that contain words in the subject line commonly used by attackers, such as “payment” and “urgent.” Track trends in social engineering attacks and employ that knowledge in both training and monitoring.
  • Keep cybersecurity training fresh and interesting to maintain the interest of users. Conduct simulated red team attacks, which not only raise awareness, but psychologically gamify cybersecurity, inspiring users to rise to the challenge of acting as a partner in the organization’s security defenses.
  • Create security awareness training around not only past and current threats, but also future ones, such as the coming wave of deepfake audio attacks. It’s only a matter of time before phone-based social engineering attacks will involve impersonated leaders in individual organizations — say, the CEO — requesting passwords and other compromising information.
  • Reduce the attack surface by implementing an application whitelisting system that enables only known and approved applications.
  • Give users the tools they need to avoid security mistakes. For example, provide secure file transfer alternatives to email attachments, such as enterprise file sync and share (EFSS) tools and stronger encryption tools.

It’s a fact of life that nearly all cyberattacks attempted against your organization will be enabled by human interaction. The attack surface is substantially made out of people, and that means your defense should also be substantially made out of people. Start today by getting everyone more involved, empowered and provisioned.

More from Data Protection

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…