The most effective defence against cyberattacks isn’t technology cybersecurity solutions but the enhancement of the human factor, Perry Carpenter, cybersecurity veteran and chief evangelist-security officer at KnowBe4, told.
Verizon’s Business 2022 data breach Investigations Report found that human factors are the primary cause of security breaches, accounting for 82 per cent of all attacks.
Attacks are getting more violent, with ransomware soaring 13% over a year, which is higher than the previous five years.
“As we continue to speed up our progress towards an increasingly digital world, efficient technological solutions, robust security frameworks and an increased emphasis upon education are all playing a role in making sure that businesses are safe and their customers are protected” Hans Vestberg, CEO and Chairman of Verizon stated.
Improve The Human Aspect of Cybersecurity
Verizon’s report reveals the human price influences can have on a company. “People continue to be the weakest link in an organization’s cyber security,” the company says.
KnowBe4 Security Awareness education and simulation phishing service recently launched a resource kit that is designed to assist IT as well as Infosec professionals enhance their human security.
The company said IT professionals face challenges in creating an awareness-based security program.
Carpenter, who was in contact with TechRepublic and TechRepublic, shared his security lessons learned over the past years. Carpenter warns that even though increasing cybersecurity numbers are a source very alarming, companies must look past them.
“Unfortunately, knowing about cybersecurity risks is just one aspect of the problem. Being proactive about them and, most importantly, taking action to stop them is what you should spend your time on,” Carpenter said. He explained that even those engaged in security awareness efforts suffer from a fatal flaw: The knowledge-intention-behaviour gap.
The knowledge-intention-behaviour gap
“Just that the team members in your organization have been aware doesn’t mean that they will be aware of it,” Carpenter said.
The gap in knowledge-intention behaviour can be explained by the fact that the number of breaches continues to increase despite investments by companies in developing essential security awareness programs for all employees.
Based on Carpenter, Workers may be aware of dangers and risks they face, how they operate, and the risks they have to avoid but aren’t taking the steps necessary to ensure their company’s safety.
To reverse this trend, businesses must fill in the gap between their knowledge and intentions to teach correct behaviour among their employees.
This requires a highly technical strategy and the cybersecurity industry has difficulty working in harmony with human instincts.
Human nature in the human race
Effective cybersecurity systems can work with human nature since cybercriminal companies have become skilled at manipulating it.
If their staff members are educated and aware, they may be able to ask why they are susceptible to fraud and phishing scams.
The answer, as Carpenter says, has nothing to do with being related to how intelligent employees are. The most effective strategies to hack into a system are not sophisticated software but how they manipulate the human mind. The attackers use natural curiosity, impulsiveness, the desire to be a part of something and compassion.
Another option is the traditional marketing strategy of providing items for free. Campaigns that use clickbait for bulk advertising are highly effective, and cybercriminals can be gateways to download ransomware and malware.
They may offer money, investment opportunities, or even an unbeatable car wash, realizing that it’s difficult for people to resist an appealing and appealing deal.
Another trend that is gaining momentum manipulates the human psyche. Criminals will do anything and exploit humanitarian crises and natural disasters to create social engineering-based attacks.
In 2020, the FBI warned of the emergence of scams involving COVID-19. Then, in May 2022 The FBI’s Internet Crime Complaint Center IC3 warned that scammers were pretending to be Ukrainian organizations requesting donations.
Cybercriminals can also design highly targeted attacks using the information of employees they acquire through social media sites and websites. In addition, when they know that employers respond to an HR manager, manager or CEO of a company and CEO, they use that relationship to pretend to be people in authority within the company.
“They send fake messages to the CEO, containing instructions to wire money to a fake supplier account, or to induce employees to participate in another scam involving frauds that involve compromise of business emails (BEC) scams,” Carpenter said.
Communication, behaviour and management of culture
Carpenter said that organizations should offer ongoing security education to their workers in the following three categories:
- Culture management
He also shared with TechRepublic the key elements teachers can apply to create lessons for each segment.
- Learn about your viewers and what they value.
- Attract people’s attention and make them feel emotional: Make your message compelling. Don’t just relay facts, instead, use stories and examples to make your message more memorable.
- Create a clear statement informing your team of what they must do.
- Recognize the knowledge-intention-behaviour gap as a reality that affects any behaviour you hope to encourage or discourage. Your team members may possess the skills they require and can make the right decisions, But your objective is to influence their behaviour eventually.
- Humans don’t have a rational mind. It is our responsibility to assist people with instructions, tools and methods that help enable them to be more comfortable and more natural.
- Set up training and tools as close to the actual point of behaviour as it is.
Culture management lessons
- Learn about your current culture as it is through culture measurement surveys such as focused groups, observations and much more.
- Create structures, pressures, rewards and rituals designed to remain in place and reflect the distinct differences among different groups. Consider identifying possible “culture leaders” who are trained and able to support the attitude and behaviour you would like to see within your group.
EPM and the phishing simulations
The year 2021 was the one in which IBM found that the attack on an endpoint cost $4.27 million. When hybrid work models are becoming the norm and the threat surface grows with millions of devices connected to corporate networks, security solutions such as Endpoint Privilege Management (EPM) and phishing simulators will be able to address security vulnerabilities.
Accenture recently announced that EPMs could help users effectively and safely perform their job without risking breaches. EPMs grant endpoints a limited amount of privileges, removing administrators’ rights from their bases and determining which applications can run.
“Only verified, trusted apps are permitted to run, and they are allowed to run using the least restrictive amount of privileges”, Accenture explains.
Another security instrument becoming more essential to find weaknesses in the human factor and fill the security gaps while also informing users about phishing is phishing simulations.
IT teams replicate phishing campaigns using phishing simulations, allowing them to see how employees react. This helps teams evaluate their security measures, spot areas of weakness and learn from the simulations.
“Even once you’ve achieved transformative outcomes, the journey never finished. The bad actors will always find new ways to thwart the best of our efforts.
The best way to counter this is to change and be committed to an ongoing improvement process constantly being made,” Carpenter said.