Given the complexity of the modern threat landscape, organisations and enterprises need to re-think their cybersecurity strategies. Adenike Cosgrove, Cybersecurity Strategy, International, Proofpoint, talks to Intelligent CISO about why adopting a people-centric approach is critical to reducing an organisation’s attack surface.
Today’s attacks target people, not infrastructure
Organisations are spending more than ever on cybersecurity and getting less value from it. Attacks keep getting through. Sensitive information keeps falling into the wrong hands. And data breaches keep making headlines.
It’s time for a fundamental rethink. Traditional cybersecurity models were built for an earlier era – when the prevailing security model was to lock down the perimeter and deal with threats after they got through. The approach barely worked then; it’s hopelessly broken now.
That’s because people, not technology, are attackers’ biggest target – and your biggest risk. This change in the threat landscape requires a fresh mindset and new strategy, one that focuses on protecting people rather than the old perimeter.
Protection starts with people
It’s clear that the usual defend-the-perimeter model of cybersecurity isn’t working – and hasn’t worked for years. More than two thirds of IT security professionals polled in a recent Ponemon study expect cyberattacks to ‘seriously diminish their organisation’s shareholder value’. And more than half believe their cybersecurity posture is levelling off or even declining.
Blame two converging trends: the perimeter is dissolving and attackers are shifting their focus away from technology and towards people.
There’s a simple reason perimeter defences aren’t working. In today’s cloud-enabled mobile economy, there’s no longer a perimeter to defend. Work takes place on devices organisations don’t support, on infrastructure they don’t manage and in channels they don’t own. As Gartner puts it, the IT department ‘simply does not control the bounds of an organisation’s information and technology in the way it used to’.
People always make the best exploits
As business shifts to the cloud, so have attackers. Cloud infrastructure may be highly secure, but the people who use it are often vulnerable.
That’s why today’s attacks exploit human nature rather than technical vulnerabilities. More than 99% of today’s cyberattacks are human-activated. These attacks rely on a person at the other end to open a weaponised document, click on an unsafe link, type their credentials or even carry out the attacker’s commands directly (such as wiring money or sending sensitive files).
Credential phishing, which tricks users into entering their account credentials into a fake login form, is one of the most dangerous examples. In the cloud era, those credentials are the keys to everything – email, sensitive data, private appointments and trusted relationships.
In the third quarter of 2018, for example, corporate credential phishing attempts quadrupled vs. the year-ago quarter according the Proofpoint’s Quarterly Threat Report Q3 2018 and email fraud rose 77% over the same timeframe.
Time to identify your most attacked users
Just as people are unique, so is their value to cyberattackers and risk to employers. They have distinct digital habits and weak spots. They’re targeted by attackers in diverse ways and with varying intensity. And they have unique professional contacts and privileged access to data on the network and in the cloud.
Together, these factors make up a user’s overall risk in what we call the VAP (vulnerability, attacks and privilege) index.
Vulnerability: How your people work
Users’ vulnerability starts with their digital behaviour – how they work and what they click. Some employees may work remotely or access company email through their personal devices. They may use cloud-based file storage and install third-party add-ons to their cloud apps. Or they may be especially receptive to attackers’ email phishing tactics.
Assessing vulnerability that stems from how people work is mostly straightforward – though it’s not always easy, or even possible, with traditional cyberdefences. It starts with knowing what tools, platforms and apps they use.
The second part of measuring vulnerability is figuring out how susceptible your users are to phishing and other cyberattacks. Short of letting attackers in and seeing who opens a malware file or wires money to an attacker (not ideal for obvious reasons), phishing simulations are the best way to gauge this aspect of vulnerability.
Simulated attacks, especially those that mimic real-world techniques, can help identify who’s susceptible and to what tactics. Someone who opens a simulated phishing email and opens the attachment might be the most vulnerable. A user who ignores it would rank somewhat lower. And users who report the email to the security team or email admin would be deemed the least vulnerable.
All cyberattacks are not created equal
While every attack is potentially harmful, some are more dangerous, targeted or sophisticated than others.
Indiscriminate ‘commodity’ threats might be more numerous than other kinds of threats. But they’re usually less worrisome because they’re well understood and more easily blocked. Other threats might appear in only a handful of attacks. But they can pose a more serious danger because of their sophistication or the people they target.
Rich threat intelligence and timely insight are the keys to quantifying this aspect of user risk. The factors that should weigh most heavily in each users’ assessment include: the cybercriminal’s sophistication, the spread and focus of attacks, the attack type and overall attack volume.
You should also weigh these factors in context of what departments, groups or divisions the individual user belongs to. For instance, some users might seem not at risk based on the volume or type of malicious email sent to them directly. But they might actually represent a higher risk because they work in a highly attacked department – and are therefore more likely to be a key target in the future.
Privilege measures all the potentially valuable things people have access to, such as data, financial authority, key relationships and more. Measuring this aspect of risk is key because it reflects the potential payoff for attackers –and harm to organisations if compromised.
Users with access to critical systems or proprietary intellectual property, for instance, might need extra protection, even if they aren’t especially vulnerable or aren’t yet on attackers’ radar. The user’s position in the org chart is naturally a factor in scoring privilege, but it shouldn’t be the only one.
For attackers, a valuable target can be anyone who serves as a means to their end. That’s why your executives and other VIPs may not be the biggest targets in your organisation. According to our research, individual contributors and lower-level managers account for more than two-thirds of highly targeted threats.
Mitigating end-user risks: A blueprint for people-centric protection
Protecting against all the factors that play into user risk requires a multi-pronged approach.
It means reducing your users’ vulnerability by making them more aware of the risk with effective, hands-on cybersecurity awareness training based on active, real-world attack techniques. It also means stopping the whole spectrum of threats – ideally, before they reach the inbox. And it means monitoring and managing their network privilege to prevent unsanctioned access to sensitive information.
Today’s cyberattacks are unrelenting, come in many forms and are always changing. It is critical organisations take a truly people-centric approach to cybersecurity to reduce their attack surface. In the current cloud-enabled, mobile, digitally transformed workplace, the antiquated one-size-fits-all cyberdefences of the past simply no longer work.