Perry Carpenter is lead evangelist for KnowBe4 Inc.supplier of the popular Security Awareness Training & Simulated Phishing platform.
Cyber attacks are a number one take care of all CEOs worldwide. Market indicators reflect a fear of further increases, and 69% of companies plan to increase security spending in response to heightened cyber risks. Despite the millions of dollars spent on security every year, cyberattacks continue escalateevolve and become more targeted.
Traditional cybersecurity approaches saw end users as the problem and designed defenses to prevent users from being compromised. Maybe it’s time for organizations to turn this upside down to see people as the solution. There are several reasons why.
The business perimeter no longer exists.
Modern organizations have become more widespread than previously thought. Companies store sensitive data in the public cloud and employees increasingly use SaaS applications to work, share and collaborate. Traditional security measures designed around the perimeter of the organization have become irrelevant. Every new system, application, user, device or vendor added to protect an organization adds another layer of complexity and increases the potential attack surface, making it harder to keep up with every loophole and vulnerability .
Threat actors focus on people rather than systems.
While cyber attacks and technological defenses evolve and mature with time, end users are not. This is why most threat actors focus on people rather than systems. According to the Verizon DBIR, 82% of all breaches in 2021 involved the human element (phishing, stolen credentials, abuse or human error). When you think about it, it makes sense to go after people. Only one error of judgment allows a foot in the door.
Attacking users is easier than attacking systems. To attack systems, attackers must study the infrastructure and the defenses in place. To attack users, all they need to do is send an email that entices the recipient to complete an action (click on a URL, download an attachment, install an app, respond to an email, submit credentials) that can bypass all technical defenses. Targeting users is relatively easy, even for novice cybercriminals – there are more than 24 billion references for sale on the dark web and more 1200 phishing kits preloaded with ready-to-use templates, help desks, infrastructure, and even instructions to intercept users’ two-factor authentication codes. The dark web teeming with with comprehensive services including professional hackers for hire.
Cyber security will always be underinvested.
Per ThoughtLab research, more than a third (39%) of CEOs agree that they don’t have enough budget to ensure cybersecurity. In addition, technology is evolving so quickly that by the time organizations deploy defenses, attackers have already discovered workarounds or switched to a different attack vector. Lack of management support is also a major challenge as organizations are more focused on growing the business than securing it. As organizations remain inclined upward outsourcing IT and other business functions, it can become increasingly difficult to control external partners and vulnerabilities in the supply chain.
Security teams will remain understaffed and overworked.
A major skills gap in cybersecurity is not going to be filled anytime soon. Based on current forecasts, the industry needs a 65% increased workforce to meet current demand. Reports suggest that the existing security staff is burnt out: the average employee has to keep an eye on about 500 cyber assets. In addition, a rising demand for security leadership is partly responsible for: high CISO turnover.
Security infrastructure needs an extra layer of security: employees.
Most security professionals are often biased towards technological defenses and overlook the fact that employees are one of the greatest assets in their defense arsenal. A security-first culture with security-conscious employees can help overcome many challenges. End users can serve as a critical layer of security by recognizing suspicious activity and reporting it to security teams. Such proactive actions can help neutralize events before they escalate. Trained personnel can help address resource and infrastructure constraints by becoming an extended arm of the security team. Employees are also less likely to make mistakes if they are tested regularly, making the organization less vulnerable to attacks. If a cyber incident occurs, agents can help create a more coordinated defense – helping to isolate the threat more quickly, reduce the intensity of the attack and aid in faster recovery.
For an effective culture that puts safety first, focus on three things: awareness, behavior and communication.
Awareness means making employees aware of important cybersecurity scams perpetrated by social engineering (ie phishing, smishing vishing), best practices and their own responsibility, accountability and accountability to the organization.
Approach everything – from training to IT tool selection – with a behavioral mindset. You want behavior-based training so that employees develop muscle memory to block and report suspicious activity, and you want to consider behavior in tool selection, process development, and technology implementation so that you can make the safe choice the easiest choice.
Communication and creating the right social pressure are keywords in culture change, as the message must be conveyed consistently in the right spirit and will appeal to a message that will appeal to a large, diverse audience or be adapted to individual groups; actions rather than words. Ask yourself, what are the actions of our executive team, management and other groups communicating the value and practice of security?
There’s no question that organizations need to invest in security controls like zero trust and threat detection, but it’s also critical to recognize that threats appear completely harmless at first because they are designed to evade defenses. common methods of first entry such as phishing, abusing trusted relationships, and valid accounts do not contain malicious code, making them more difficult to detect. It is essential to empower people through training, security policies and procedures to identify these smart threats and report suspicious activity.