Let’s talk about the “people problem.” Cybersecurity defenses and cyberattack methods are evolving rapidly, but human beings, not so much. This is why nearly all cyberattacks are now based on exploiting human nature.

This month, Proofpoint made the stunning claim that more than 99 percent of attacks observed by their researchers required human interaction. These social engineering interactions include clicking a link, opening a document, enabling a macro, opening a file and others. Of course, security and IT specialists need to focus on perimeter defenses, patching vulnerabilities and myriad other systems for digital defense. But how do you stop users from holding the door open for cyberattacks?

For criminals, targeting people makes sense. It’s faster, easier and more profitable than targeting systems. Attackers exploit human nature with diversionary tactics, such as creating a false sense of urgency or impersonating trusted people. And, of course, individual people with different personalities vary on the degree to which they may fall prey to social engineering manipulation.

Attackers are going after low-hanging fruit, too. So-called “very attacked people” and their email addresses are typically available on company websites and social media, or are easily discoverable via web search. Favored targets include education, finance, advertising and marketing companies, but criminals are also exploiting industries with complex supply chains, such as the automotive industry.

Why Good People Make Bad Security Choices

One problem, unsurprisingly, is that many employees in your organization simply don’t know enough about how social engineering attacks work to defend themselves. This problem is exacerbated by the dynamism of social engineering methods; they’re constantly changing, and users (who have other things to focus on) simply can’t keep up.

Part of the reason is that they’re undertrained. According to Chubb’s “Cyber Risk Survey 2019,” less than one-third (31 percent) of employees receive annual, companywide training from their organizations.

A lack of knowledge and awareness among the people in your organization is one problem. The opposite is also a problem. Because of the frequency and intensity of attempted cyberattacks that exploit human nature, cyberattack fatigue can set in, where users grow resigned and impassive about security.

Cyberattack fatigue is extremely common, and tends to result from users feeling overwhelmed by the challenge of cybersecurity. They feel like cybersecurity is beyond their control, so they develop a sense of fatalism and stop trying. Users might use the same bad password for multiple accounts, click on random attachments and generally act like they don’t know better.

Attackers can also profit from the prevalence of decision fatigue, whereby after making hundreds of decisions all day, employees tend to stop caring so much about making the right decision. Sometimes attackers specifically launch attacks late in the workday for this reason.

How to Build a More Secure User

It’s tempting to see rank-and-file employees as the problem — but it’s better to see them as part of the solution. It’s also tempting to take away their ability to make bad choices, to restrict what they can do. However, it’s often better to empower them with the knowledge and the tools to make good choices.

Here are some steps your organization can take to turn the people problem into the people solution:

  • Take a people-centered and holistic approach to cybersecurity that involves effective security awareness training combined with better user tools. Focus on empowering users to take control of their own ability to avoid cybersecurity malpractice, and to feel like a partner with IT in preventing cyberattacks.
  • Identify, and focus on, the very attacked people in your organization. Do the same kind of research threat actors are doing by searching for the people associated with your organization on search engines and social media, and collect all the email addresses listed on your organization’s website. Assume these email addresses are going to be heavily exploited targets. Raise urgency and awareness by occasionally contacting very attacked people in your organization and letting them know they are targets.
  • Pay special attention to emails that contain words in the subject line commonly used by attackers, such as “payment” and “urgent.” Track trends in social engineering attacks and employ that knowledge in both training and monitoring.
  • Keep cybersecurity training fresh and interesting to maintain the interest of users. Conduct simulated red team attacks, which not only raise awareness, but psychologically gamify cybersecurity, inspiring users to rise to the challenge of acting as a partner in the organization’s security defenses.
  • Create security awareness training around not only past and current threats, but also future ones, such as the coming wave of deepfake audio attacks. It’s only a matter of time before phone-based social engineering attacks will involve impersonated leaders in individual organizations — say, the CEO — requesting passwords and other compromising information.
  • Reduce the attack surface by implementing an application whitelisting system that enables only known and approved applications.
  • Give users the tools they need to avoid security mistakes. For example, provide secure file transfer alternatives to email attachments, such as enterprise file sync and share (EFSS) tools and stronger encryption tools.

It’s a fact of life that nearly all cyberattacks attempted against your organization will be enabled by human interaction. The attack surface is substantially made out of people, and that means your defense should also be substantially made out of people. Start today by getting everyone more involved, empowered and provisioned.

More from Data Protection

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…

The Digital World is Changing Fast: Data Discovery Can Help

The rise in digital technology is creating opportunities for individuals and organizations to achieve unprecedented success. It’s also creating new challenges, particularly in protecting sensitive personal and financial information. Personally identifiable information (PII) is trivial to manage. It’s often spread across multiple locations and formats and can be challenging to find and classify. Organizations need a modern data discovery and classification solution to identify sensitive data across physical, virtual and public clouds. The Current State of Sensitive Data Discovery and…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…