How Identifying your ‘Very Attacked People’ Can Bolster Your Cybersecurity Strategy
By Adenike Cosgrove, Cybersecurity Strategist, International at Proofpoint
A strong cybersecurity posture is multifaceted. As new threats are born and others evolve, companies must keep adding to their arsenal to ensure their defences are up to the task. However, there is one line of defence that is still often overlooked: people.
The cybersecurity knowledge and understanding of the employees in an organisation is just as important as any policy or control that is put in place. The end user is often the first point of attack. The more they understand about how their behaviour can affect the security of the business, the stronger an organisation’s cybersecurity posture.
The good news is that security leaders in the Netherlands are all too aware of this, with recent Proofpoint research showing that 61% of CISOs/CSOs surveyed in the region believe that human error and lack of security awareness are one of the biggest risks to their organisation. The security leaders in the Netherlands believe that the actions that lead to these risks include mishandling sensitive information (53%), falling for phishing attacks (47%), insecure passwords (39%), sharing passwords (39%), criminal insider threats (34%) and clicking on malicious links (33%).
While all employees can fall victim to external attacks on an organisation – some are more attractive targets than others. Just as people are unique, so is their value to cyber attackers and risk to your organisation. They have distinct digital habits and weak spots. They’re targeted by attackers in diverse way and with varying intensity. And they have unique professional contacts and privileged access to data on the network and in the cloud.
These more targeted employees are referred to by Proofpoint as Very Attacked People (VAPs). And these VAPs aren’t always the people you expect. That’s because today’s attacks target users in countless ways, across new digital channels, with objectives that aren’t always obvious
Identifying your VAPs
Do you know who your Very Attacked People are (VAPs) and how they are being attacked? If you don’t, you should. Gaining these insights can go a long way toward reducing your exposure to targeted threats.
Adversaries are taking a finely honed, highly strategic approach to targeting your people. Sophisticated attackers diligently do their research and often have access to org charts and know how a business works better than the security team does. Today’s cyber criminals are much less interested in casting a wide net through scattershot spam or phishing campaigns in hopes of getting someone to download a PDF that contains malware or to click on a malicious URL.
So how can you determine a risky user and what can you do about it?
There are two parts to identifying a VAP:
- Using mathematical concepts, Proofpoint looks at every threat and assigns it a score from 1 to 1,000 based on the spread of the attack, the type of payload and whether an actor can be associated with it.
- User data points are then added into the equation. These include URLs that users have clicked on over time, which users tend to do this frequently, how well users perform on phishing simulations and checking API connections to Microsoft Office 365 to see who may be coming from suspicious networks. Even device health, like browser patch levels, can provide valuable insights.
- Examine this anti-phishing training data to reveal the most vulnerable users, and use those metrics to quiet the perfect storm that’s brewing: the overlap between these two populations. The opportunity to deliver the right training to the right people at the right time should not be squandered.
When you put all of this together, you have a good sense of who is getting targeted and who is going to fall for the tactics and techniques of bad actors. All this number crunching gives you an advantage over attackers. You can use this intelligence to prioritize your efforts because attackers are prioritizing theirs.
Previous Proofpoint research has also uncovered that VAPs are actually rarely what an organisation would consider as its VIPs (senior execs etc.), but more likely to be part of the HR, PR, marketing or research teams.
Creating a security-conscious culture
Once you’ve identified your most targeted employees, closing security knowledge gaps is crucial. That said, it is critical to ensure that each and every employee within the organisation is aware of the role they play in practising good security hygiene.
Spotting gaps in user knowledge is one thing. Closing them is another. There is no quick fix. To increase user understanding of complex topics and bring about a change in behaviour, the only effective plan of action is comprehensive, ongoing training, that keeps pace with the cyberthreats organisations are facing.
This training should include regular assessments, education, reinforcement activities, and measurement of understanding.
Companies that fail to create a culture of cyber awareness and responsibility will always be the most vulnerable to attack. The human factor needs to be a key pillar of a company’s cybersecurity defences.
To shore up the line of defence that is usually overlooked – people – organisations should consider taking the following actions:
- Deliver comprehensive and continuous cybersecurity training to all employees, at all levels. This means not only training and refreshing end users on how to spot a phishing attack, but what to do when they occur and also eradicating any behaviour that can impact the security of your business.
- Ensure employees are educated in cybersecurity best practices, for example practicing good password hygiene. Not all security incidents stem from an outside attack and teaching employees on how to keep sensitive data secure is vital.
- Treat traditional phishing attacks with the importance they deserve. Ensure that your users know how to spot them and what to do if and when they occur. But know that to stand a greater chance of preventing such attacks, your security training must extend far beyond this
- Educating employees on the “why” as well as the “what”. Not just what a threat looks like but how it works, the motivation behind it and the ways that their behaviour can increase its success rate. That’s true not just of phishing, but of every security challenge faced by end users.
When awareness and understanding increases, behaviour changes. And that might just be the difference between a successful attempt and a successful attack.