The best defense against cyberattacks is not cybersecurity technology solutions but human enhancement, Perry Carpenter — cybersecurity veteran, author and chief security officer— missionary KnowBe4speak.
Verizon’s Business data breach investigation report 2022 revealed that the human factor continues to drive breaches, accounting for 82% of all attacks. And attacks are getting more aggressive, with ransomware increasing 13% in 24 months, more than the last 5 years combined.
“As we continue to accelerate towards an increasingly digitalized world, effective technology solutions, robust security frameworks, and an increased focus on education will play a key role in ensuring that businesses remain safe and customers are protected,” said CEO and President Hans Vestberg, Verizon.
Verizon’s report shows the cost of human influence. “People are still — by far — the weakest link in an organization’s cybersecurity,” the company said.
KnowBe4, a security awareness training program and phishing platform, recently released a Ministry resources designed to help IT and Infosec professionals improve the human element of security. The organization says IT professionals still face many challenges when it comes to creating a security awareness program.
Carpenter, affiliated with TechRepublic, shared the human security lessons he’s learned over the years. He warned that while growing cybersecurity statistics are a big concern, companies should look beyond them.
“Unfortunately, knowing about cybersecurity threats is only half the battle. Do something about them — and more importantly, do something about them prevent them — is where you should really spend your time,” says Carpenter. He explains that even those involved in security awareness efforts have a fatal flaw: the knowledge-intent-behavior gap.
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
The knowledge-intention-behavior gap
“Just because your team members are aware of something doesn’t mean they will care,” says Carpenter. The knowledge-intent-behavior gap explains why breaches continue to grow despite companies investing in building strong cybersecurity awareness programs for all labor.
According to Carpenter, workers can be aware of threats and risks, how they work and what they need to do to avoid them, but still fail to take the necessary actions to keep the company safe. .
To overcome this situation, companies must bridge the gap between knowledge and intention to encourage the right behaviors in their workforce. This requires an approach that the highly technical cybersecurity industry has struggled with — working with human nature.
Working with human nature
Effective cybersecurity programs work with human nature as cybercriminal organizations have become experts at manipulating it. Leaders may ask themselves why, if their employees are informed, do they fall for these types of scams and scams?
The answer, according to Carpenter, has nothing to do with how smart employees are. The most successful techniques to compromise systems depend not on sophisticated malware but on how they manipulate human emotions. Attackers are taking advantage of natural curiosity, impulsivity, ambition, and empathy.
Another method is the old marketing technique of offering things for free. Mass advertising campaigns using Clickbait can be extremely effective, and for cybercriminals, they are a gateway for malware and ransomware downloads. They will promise cash, investment opportunities or just a free car wash, knowing that it is very difficult for people to resist a seemingly innocuous and attractive offer.
Another rising trend is manipulating empathy. In 2020, FBI warned of emerging fraud schemes related to COVID-19 and in May 2022 the FBI’s Internet Crime Complaint Center IC3 warned that scammers are posing as Ukrainian entities asking for donations. Criminals won’t stop there and use humanitarian crises or events after natural disasters to fabricate social engineering attacks.
Cybercriminals are also creating highly personalized attacks using employee information they obtain through social media and online websites. Additionally, knowing that a recruiter responds to a company manager, human resources department, or executive officer will leverage that relationship and impersonate authority figures within the organization. . “They send fake messages from the CEO with instructions to transfer money to bogus vendor accounts or trick employees into engaging in other fraudulent business email compromises (BEC) plans,” Carpenter said.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
Communication, behavior and cultural management
Carpenter explains that companies should provide ongoing security training to their employees in three areas:
- Contact
- Behavior
- Cultural management
He shared with TechRepublic key points that leaders can use to build lessons for each section.
Communication lesson
- Understand your audience and what they value.
- Get people’s attention and connect emotionally: make your message engaging. Don’t just share facts, but use stories and examples to connect.
- Have a clear call to action: tell your teams specifically what they need to do.
Lessons in behavior
- Recognize the knowledge-intent-behavior gap as a fact that affects any behavior you hope to encourage or discourage. Your team members may have the knowledge they need and the best intentions, but your goal is ultimately to influence their behavior.
- People have no sense. We need to help them with reminders, tools, and processes that make behavior easier and feel more natural.
- Place tools and training as close to the behavior point as possible.
Cultural management lesson
- Understand your culture as it currently exists using cultural measurement surveys, focus groups, observations, etc.
- Identify potential “culture bearers” who are equipped and empowered to help support the mindset and behaviors you want to see showcased across your team.
- Design structures, pressures, rewards, and rituals to be continuous and address the unique differences between different groups.
EPM and fraud simulation
In 2021, IBM revealed that the average cost of an endpoint attack is $4.27 million. As hybrid work models become the norm and the attack surface expands with millions of new devices connected outside the corporate network, cybersecurity solutions like Endpoint Privilege Management (EPM) and upgraded phishing simulation to address security vulnerabilities.
Voice mark recently highlighted how EPM can enable users to do their work efficiently and securely without the risk of a breach. EPM gives the terminal a minimal set of privileges to remove administrative rights from the user base and control which applications are allowed to run. Accenture explains: “Only trusted, censored applications are allowed to run, and they do so with the lowest possible set of privileges.
Another security tool that is becoming increasingly important for identifying human factor vulnerabilities and reinforcing vulnerabilities while educating users is phishing simulation. The IT team simulates phishing campaigns in a phishing simulation to visualize how workers respond. This allows teams to test their security posture, identify weaknesses, and learn from simulations.
“Even when you have achieved transformative results, your journey is rarely over. The bad guys will continue to find creative ways to thwart our best efforts. Your response will be to constantly adapt and commit to a process of continuous improvement,” says Carpenter.
