The best defense against cyber-attacks is not technological cybersecurity solutions, but strengthening the human element, Perry Carpenter – cybersecurity veteran, author and chief evangelist security officer for KnowBe4said.
Verizon’s Research Report on Data Breach for Businesses in 2022 revealed that the human element is still at the root of breaches, accounting for 82% of all attacks. And attacks are becoming more aggressive, with ransomware rising 13% in 24 months, an increase greater than the past five years combined.
“As we continue to accelerate into an increasingly digitized world, effective technology solutions, strong security frameworks and a greater focus on education will all play their part in ensuring businesses stay safe and customers are protected,” said Hans Vestberg, CEO and Chairman. , Verizon .
Verizon’s report exposes the costs of human influence. “People remain by far the weakest link in an organization’s cybersecurity,” the company says.
KnowBe4, a security awareness and simulated phishing platform, recently launched a resource package designed to help IT and Infosec professionals enhance their human element of security. The organization said IT professionals are still challenged when it comes to creating a security awareness program.
Carpenter, in contact with TechRepublic, shared the lessons about human security he’s learned over the years. He warns that while rising cybersecurity statistics are a major concern, companies need to look further afield.
“Unfortunately, knowledge about cybersecurity threats is only half the battle. Do something about it – and more importantly, do something about it to prevent she — is where you really should be spending your time,” Carpenter said. He explained that even those concerned with security awareness suffer from a fatal flaw: the knowledge-intent-behavior gap.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
The knowledge-intention-behavior gap
“Just because your teammates know about something doesn’t mean they care,” Carpenter said. The knowledge-intent-behavior gap explains why breaches continue to increase, despite companies investing in building strong cybersecurity awareness programs for all employees.
According to Carpenter, employees may be aware of the threats and risks, how they operate and what to do to avoid them, but they are still not taking the necessary steps to keep the company safe.
To reverse this situation, companies need to close the gap between knowledge and intent to encourage correct behavior in their workforce. This requires an approach that the highly technical cybersecurity industry struggles with: working with human nature.
Working with human nature
Effective cybersecurity programs work with human nature as cybercriminal organizations have become experts at manipulating them. Leaders may wonder why, if their employees are aware, they fall for all kinds of scams and phishing campaigns?
According to Carpenter, the answer has nothing to do with how smart employees are. The most successful techniques to breach a system do not rely on sophisticated malware, but on how they manipulate human emotions. Attackers use natural curiosity, impulsiveness, ambition and empathy.
Another method is the old marketing technique of offering things for free. Clickbait bulk ad campaigns can be incredibly effective and are gateways for cybercriminals to download malware and ransomware. They promise money, investment opportunities or just a free car wash, knowing that it is very difficult for people to resist a seemingly innocuous and attractive offer.
Another upward trend is manipulating human empathy. In 2020 the FBI warned of emerging fraud schemes related to COVID-19, and in May 2022, the FBI’s Internet Crime Complaint Center IC3 warned that scammers were posing as Ukrainian entities asking for donations. Criminals will stop at nothing and use humanitarian crises or post-natural disaster events to fabricate social engineering attacks.
Cyber criminals also create highly personalized attacks using employee information obtained through social media and online sites. In addition, knowing that an employer is responding to a manager, HR, or the CEO of a company, they will leverage that relationship and pose as people of authority within the organization. “They send fake CEO messages with instructions to transfer money to a fake supplier account or trick employees into other fraudulent corporate email compromises (BEC) arrangements,” said Carpenter.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Communication, behavior and culture management
Carpenter explained that companies should provide their employees with continuous security training in three areas:
- Communication
- Behaviour
- culture management
He shared with TechRepublic key points leaders can use to build lessons for each section.
communication lessons
- Understand your audience and what they value.
- Grab people’s attention and connect with emotion: make your messages attractive. Don’t just share facts, use stories and examples to connect.
- Have a clear call-to-action: Tell your teams specifically what to do.
Behavioral Lessons
- Recognize the knowledge-intention-behavior gap as a reality that affects any behavior you hope to encourage or discourage. Your team members may have the knowledge they need and the best intentions, but your goal is to ultimately influence their behavior.
- People are not rational. We need to help them with cues, tools and processes that make behavior easier and feel more natural.
- Place tools and training as close to the point of behavior as possible.
Culture management lessons
- Understand your culture as it currently exists using culture measurement surveys, focus groups, observation, and more.
- Identify potential “culture carriers” equipped and empowered to help support the mindset and behavior you want to see across your team.
- Design structures, pressures, rewards and rituals in progress and address the unique differences between different groups.
EPM and Phishing Simulations
in 2021, IBM revealed that the average cost of an endpoint attack is $4.27 million. As hybrid work models become the norm and the attack surface expands with millions of new devices connected outside corporate networks, cybersecurity solutions such as Endpoint Privilege Management (EPM) and phishing simulations are stepping up to respond to the security gaps.
Accenture recently highlighted how EPMs can enable users to perform their work efficiently and securely without risk of breaches. EPMs give endpoints a minimal set of privileges to remove administrative privileges from the user base and control which apps are allowed to run. “Only controlled, trusted applications are allowed to run, and they do so with the lowest possible set of privileges,” explains Accenture.
Another security tool that is becoming increasingly important to identify vulnerabilities of the human element and amplify the gaps while educating users is phishing simulations. IT teams simulate phishing campaigns in phishing simulations to visualize how employees react. This allows teams to test their security posture, identify vulnerabilities and learn from simulations.
“Even if you have achieved transformational results, your journey is rarely over. Bad actors will continue to find innovative ways to thwart our efforts. Your response will be to continually adapt and commit to a process of continuous improvement,” said Carpenter.
