The focus of cybercriminals has shifted again. At one point, it was easier for them to target unpatched networks or software. But these days, criminals just go straight for the people: exploit their weaknesses and grab what they’re looking for.
According to Verizon’s latest Data Breach Investigation Report, there were 53,308 cybersecurity incidents reported in 2018, including 2,216 confirmed data breaches, 76% of which were financially motivated.
Employees are largely to blame for the majority of these breaches. They often unknowingly help malware and other attacks to spread within their organisations. 99% of attacks are said to require some element of human involvement and 90% of attacks come directly via email.
The human factor
Amongst the latest threats cited in Symantec’s 2019 Internet Security Threat Report, attacks on supply chains ballooned by 78% year-on-year. Meanwhile, ransomware shifted its sites from consumers to enterprises, where infections rose 12%. Social engineering played a big part in all this.
As a result, businesses urgently need to shift tactics to protect their people from attack, says Ryan Kalember, EVP, Cybersecurity Strategy at Proofpoint.
He says it’s easy for attackers to use Google to find out the person in an organisation who has the ability to move money or data, or access a specific system, and then target them.
What is needed is ‘people-centric security’, explains Kalember. This means working out who the cybercriminals are likely to attack in your organisation, and protecting and equipping them. These are your VAPs – your “Very Attacked Persons”. If you know who they are, you can work out your business risk, and protect them better.
He advises companies to understand, at a deeper level, the threats they face over email in particular; and map them back to individual people. You need to know which departments they work in, what their internal attachments are, and what they might have in the public domain, on LinkedIn for example, that could lead them to being targeted. After all, attackers will already know this, says Kalember.
You can then simulate phishing attempts on your staff, to determine your risk and see who falls for them; and look at their cloud accounts, for login anomalies. Also, see whether their email is being used to attack other people: a common tactic of cybercriminals.
Powerful social engineering
Compromising an individual’s email address is simple for many cybercriminals, says Kalember. “People don’t realise just how easy it is to do that. A five-second Google search, download a tool and you’ll be spoofing away in no time… It’s very powerful social engineering to have something come from a trusted email account.”
The criminal’s aim is often credential theft: passwords and identity rather than money – at least to start with, he explains.
“It is critical that most organisations reduce the amount of phishing attempts that come through to the end user, because some of them are so well-crafted that you can’t be angry with people for falling for them,” Kalember says.
These range from food poisoning complaints to cancer diagnoses. “We see all of these things used as fishing lures, and people are simply going to click on them. You’re fighting a lot of human nature if you’re expecting people not to do that,” he adds.
In the end, there’s a balance to be struck between educating the workforce, and protecting them by understanding your VAPs and why they might be targeted. Once you’ve done that, you can take action, and invest in additional technology to mitigate against future attacks.
Watch this webcast nowand learn how to shift to a people-centric security model.