Success is when humans, not devices, are at the heart of cyber defence

The shift to remote working brought on by the COVID-19 pandemic has significantly expanded the attack surface for organizations, with remote devices lacking layers of technical controls available within the enterprise networks. 

A recent report by HP Inc. shows reveals a 238% increase in global cyberattack volume during the pandemic. The survey shows that changing work styles and behaviours create new vulnerabilities for companies, individuals, and their data. Responding to the findings, Joanna Burkey, Chief Information Security Officer (CISO) at HP Inc., said, “As the lines between work and home have blurred, security risks have soared, and everyday actions such as opening an attachment can have serious consequences. Without all of the pre-pandemic sources of visibility of devices, and how they are being used and by who, IT and security teams are working with clouded vision.”

The pandemic and the immediate post-COVID-19 period have been marked by a sharp rise in social engineering attacks. Here, cybercriminals trick employees to give up their credentials, instal the malware for them, or directly send data or money to perpetrators. Unlike most other attacks that target machines and networks, social engineering attacks require human interaction to be successful.

Despite the relatively unsophisticated nature of such scams, they have emerged as a highly effective attack mode. Research by cybersecurity software firm Proofpoint shows that from March 2020 to September 2021, over 7,000 CEOs or senior executives have been impersonated, with the average number of CEO impersonation attacks per organization rising to 102.

Protecting what matters

The rise of social engineering attacks shows traditional methods of cybersecurity fall short when set against modern threats. Conventional measures have primarily focused on protecting servers, networks and endpoints. Meanwhile, data shows that most threats —over 90 per cent, according to a report by Verizon, get delivered via email to people.

IT security investments are similarly skewed. According to the ‘Flipping the Script on Security Spending’ report by Proofpoint, only about 8 per cent of security budgets is spent on protecting the email channel, despite 90 per cent of the threats being sent through email.

Therefore, there’s an urgent need to align cybersecurity strategies and resources to the real threats facing organizations and focus on the primary target, people. This realignment should result in increased investment in people-centric cybersecurity strategies.

People-centric security calls on security teams to focus on their people, understand who their most vulnerable people are and equip them with the resources to protect themselves. Such measures should offer a 360 degree of protection by bringing together technology, processes, and people.

From a technical perspective, tools such as AI-enabled secure email gateways can leverage algorithms to check the authenticity of an email by analyzing the language used. A word such as “urgent”, popular with cybercriminals, should trigger a warning.   

On the process side, some organizations have put measures in place that would prevent an invoice from being paid out if they cannot authenticate the identity of the person sending the email. Readily available authentication standards such as DMARC, which prevents criminals from hijacking your domain to trick employees and business partners, should be in use.

Turning weakness into strength

Training is particularly crucial to solving the people vulnerability equation. Cybersecurity training should be standard and enforcement rigorous – this does not imply retribution as it could backfire and prevent staff from reporting threats. Employees should quickly identify suspicious emails, which they should automatically forward to security teams.

There’s also the need to shift how organizations treat employees. In traditional settings, people have primarily been viewed as a cyber security “weakness”, and organizations fail to take advantage of a valuable cyber defence resource.

A people-centric cybersecurity strategy recognizes that people are an effective tool to prevent cyber-attacks and empowers them with the training to identify threats and the freedom to take some basic remedial actions. 

The shift in mindset may seem trivial but has significant implications on how billions in cybersecurity spending are spent. Most importantly, this can help save organizations from the damaging effects of data leakage, downtime and reputational risks that cybercrime enforces.

Effectively guarding the modern, post-perimeter enterprise requires a different security paradigm, says Mile McKee, CEO of cybersecurity firm Dotmatics. “As such, security paradigms must evolve to protect individuals, who largely mean well and deserve privacy, while also safeguarding the organization’s intellectual property, critical resources and brand reputation,” he adds.

Cybercriminals will continue to target employees for the simple reason that it works. But therein lies the greatest opportunity to solve a significant part of the global cybercrime plague. A people-centric security strategy is cheaper and more effective in the long run for increasingly vulnerable global firms.