Skip to main content

The human factor 2021: How to protect your people from increasingly targeted attacks

(Image credit: Shutterstock / Gorodenkoff)

The events of the past 18 months have been extensively documented. But while the immediate challenges posed by the pandemic are no longer news to anyone in cybersecurity, its long-term impacts are yet to be fully realized. 

As cybersecurity teams scrambled to secure users across vast remote environments, spanning hundreds if not thousands of new points of attack, cybercriminals seized their opportunity. Focusing their sights squarely on our people. 

While many workers are returning to the office or shop floor, many others plan to remain in these remote or hybrid environments for the long term. And this is not the only trend set to last in the wake of the pandemic. Emboldened by their successes in 2020, cybercriminals are continuing to target attacks on individual users, using increasingly sophisticated tactics to extract credentials, data, and access to our networks and systems. 

Defending our people on this new threat landscape requires deep understanding in three key areas – vulnerability, attacks, and privilege. In other words, where are your users are most exposed, what threats are they facing, and what is the potential impact of a successful attack?

How are cybercriminals targeting your users?

With 99 percent of cyberattacks requiring human interaction to be successful, there’s no doubt your biggest vulnerability is your people.  To protect them and, in turn, your organization, you need to understand the threats that they face. Only then can you educate them on their role in keeping such threats at bay.

Assessing this risk means asking the question – if my users are targeted in a cyberattack, how likely are they to become a victim? 

Unfortunately, the answer is often more likely than you would hope. Email remains the number one point of entry for a cyberattack, with all manner of phishing lures, malicious payloads, and social engineering tactics hitting the inbox. 

But despite the high-profile nature of such threats, many users are still ill-equipped to defend against them. In simulated tests, one in five people clicked on attachment-based email threats. 

To make matters worse, other threat vectors in the wild have even higher success rates. Steganography, the technique of hiding malicious payloads in photos and audio files, enticed one in three recipients to click last year. That’s the highest rate of any attack.

The modern threat landscape – old tricks with a new twist  

The modern cybercriminal may be more sophisticated, targeted, and tenacious in their attacks, but there is little new about their methods. 

Ransomware was a significant scourge on the world’s businesses last year, increasing 300 percent compared with 2019. And once again, the inbox was the main point of entry for such attacks. In a modern ransomware attack, first-stage malware is delivered by email. This initial payload then downloads other malicious files when activated by compromised RDPs or VPNs.

Another familiar threat, credential phishing, also made a big impact last year. Over half of all email threats in 2020 were credential phishing attempts, outpacing all other threat vectors combined. 

It is no surprise that so many threat actors continue to focus their attention in this area. Successfully compromised credentials can lead to everything from wire fraud to identity theft and cyber espionage. 

Credential theft also directly contributes to the most expensive issue facing cybersecurity teams – business email compromise (BEC). Estimated to have cost businesses $1.8bn last year, it is responsible for almost half of all cybercrime losses. 

As for what’s new on today’s threat landscape, unsurprisingly, Covid-19-related lures were used in abundance last year. By mid-March 2020, about 80 percent of all threats used Covid-19 themes.

As fear and uncertainty spread around the world along with the coronavirus, cybercriminals targeted users with offers of vaccines, treatments, cures, and more in exchange for clicking on malicious links or entering credentials on a spoofed website. 

While we can now look to a future beyond the pandemic, we can expect these tactics to stick around for a while yet. Most recent iterations masquerade as vaccine appointment confirmations, and we can expect similar tactics with every Covid-19 milestone and development.

Examining user privilege – what is at risk?

To fully determine the risk level facing your organization, you must determine precisely what cybercriminals will be able to access, should they compromise one of your users. 

The potential impact of such an attack will depend largely on the level of privilege of the user or users targeted. Compromising a high-privilege user gives a threat actor access to much more sensitive and valuable information. 

Insider threats, whether malicious or negligent, also pose a significant risk among your privileged users. Just one set of leaked credentials or careless click can expose your business to severe financial and reputational consequences. And remote and hybrid work environments make this particular threat much harder to mitigate. 

To effectively monitor, manage, and protect your privileged users, you should first identify your VAPs – that’s your Very Attacked People. When you know who is under the greatest threat, and the level of access they have to your data and networks, you can put appropriate controls in place. 

For most organizations, this means monitoring USB connections, data exfiltration, file downloads, and folder copying during irregular hours. The more you understand your most high-risk users and their activity, the safer your organization.

Putting people at the heart of your cyber defense

Today’s people-centric cyberattacks require a people-centric cyber defense. This starts by gaining as much visibility as possible into who is being attacked, how they’re being attacked, and what they may be putting at risk. 

Alongside email protections and perimeter defenses, organizations must implement a comprehensive, ongoing, and adaptive security awareness training program. 

Users at all levels, particularly those with privileged access, must know how to detect, deter, and report suspicious activity and communications. Beyond that, people need to understand their role in keeping your organization safe – and the consequences of failing to do so. 

The result, over time, is a culture in which cybersecurity is not just the concern of IT teams. It is everyone’s responsibility. No matter the specific tactics and attack methods, your people are the biggest risk facing your organization. They are on the front line of your cyber defense. It’s vital that you equip them for the size of that task.

Keith Bird, senior vice-president EMEA, Proofpoint

With over 30 years’ experience across the IT and security industry, Keith Bird is Senior Vice President EMEA at Proofpoint, responsible for driving customer acquisition across a strategically important region.