Let’s talk about the “people problem.” Cybersecurity defenses and cyberattack methods are evolving rapidly, but human beings, not so much. This is why nearly all cyberattacks are now based on exploiting human nature.
This month, Proofpoint made the stunning claim that more than 99 percent of attacks observed by their researchers required human interaction. These social engineering interactions include clicking a link, opening a document, enabling a macro, opening a file and others. Of course, security and IT specialists need to focus on perimeter defenses, patching vulnerabilities and myriad other systems for digital defense. But how do you stop users from holding the door open for cyberattacks?
For criminals, targeting people makes sense. It’s faster, easier and more profitable than targeting systems. Attackers exploit human nature with diversionary tactics, such as creating a false sense of urgency or impersonating trusted people. And, of course, individual people with different personalities vary on the degree to which they may fall prey to social engineering manipulation.
Attackers are going after low-hanging fruit, too. So-called “very attacked people” and their email addresses are typically available on company websites and social media, or are easily discoverable via web search. Favored targets include education, finance, advertising and marketing companies, but criminals are also exploiting industries with complex supply chains, such as the automotive industry.
Why Good People Make Bad Security Choices
One problem, unsurprisingly, is that many employees in your organization simply don’t know enough about how social engineering attacks work to defend themselves. This problem is exacerbated by the dynamism of social engineering methods; they’re constantly changing, and users (who have other things to focus on) simply can’t keep up.
Part of the reason is that they’re undertrained. According to Chubb’s “Cyber Risk Survey 2019,” less than one-third (31 percent) of employees receive annual, companywide training from their organizations.
A lack of knowledge and awareness among the people in your organization is one problem. The opposite is also a problem. Because of the frequency and intensity of attempted cyberattacks that exploit human nature, cyberattack fatigue can set in, where users grow resigned and impassive about security.
Cyberattack fatigue is extremely common, and tends to result from users feeling overwhelmed by the challenge of cybersecurity. They feel like cybersecurity is beyond their control, so they develop a sense of fatalism and stop trying. Users might use the same bad password for multiple accounts, click on random attachments and generally act like they don’t know better.
Attackers can also profit from the prevalence of decision fatigue, whereby after making hundreds of decisions all day, employees tend to stop caring so much about making the right decision. Sometimes attackers specifically launch attacks late in the workday for this reason.
How to Build a More Secure User
It’s tempting to see rank-and-file employees as the problem — but it’s better to see them as part of the solution. It’s also tempting to take away their ability to make bad choices, to restrict what they can do. However, it’s often better to empower them with the knowledge and the tools to make good choices.
Here are some steps your organization can take to turn the people problem into the people solution:
- Take a people-centered and holistic approach to cybersecurity that involves effective security awareness training combined with better user tools. Focus on empowering users to take control of their own ability to avoid cybersecurity malpractice, and to feel like a partner with IT in preventing cyberattacks.
- Identify, and focus on, the very attacked people in your organization. Do the same kind of research threat actors are doing by searching for the people associated with your organization on search engines and social media, and collect all the email addresses listed on your organization’s website. Assume these email addresses are going to be heavily exploited targets. Raise urgency and awareness by occasionally contacting very attacked people in your organization and letting them know they are targets.
- Pay special attention to emails that contain words in the subject line commonly used by attackers, such as “payment” and “urgent.” Track trends in social engineering attacks and employ that knowledge in both training and monitoring.
- Keep cybersecurity training fresh and interesting to maintain the interest of users. Conduct simulated red team attacks, which not only raise awareness, but psychologically gamify cybersecurity, inspiring users to rise to the challenge of acting as a partner in the organization’s security defenses.
- Create security awareness training around not only past and current threats, but also future ones, such as the coming wave of deepfake audio attacks. It’s only a matter of time before phone-based social engineering attacks will involve impersonated leaders in individual organizations — say, the CEO — requesting passwords and other compromising information.
- Reduce the attack surface by implementing an application whitelisting system that enables only known and approved applications.
- Give users the tools they need to avoid security mistakes. For example, provide secure file transfer alternatives to email attachments, such as enterprise file sync and share (EFSS) tools and stronger encryption tools.
It’s a fact of life that nearly all cyberattacks attempted against your organization will be enabled by human interaction. The attack surface is substantially made out of people, and that means your defense should also be substantially made out of people. Start today by getting everyone more involved, empowered and provisioned.
I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...