The Human Factor in IT Security

As cybercrime becomes more pervasive, IT professionals are becoming more adept at dealing with threats from a technological perspective. As our hardware and software defenses improve, it’s only natural that cybercriminals will focus on the proverbial weak link. When we are talking about technology, that weak link is almost always the human aspect.

An astonishing percent of cybercriminals – more than 99% according to 2019 statistics – rely on human interaction to do their dirty work, according to “The Human Factor” by Proofpoint. That can be installing malware, initiating fraudulent transactions, stealing data, and pretty much anything else they can envision.

The company gathered trillions of data points to assemble the latest version of its report: “The Human Factor 2022.”  Proofpoint analyzes more than 2.6 billion emails, 49 billion URLs, 1.9 billion attachments, 1.7 billion suspicious text messages, and 28.2 million Cloud accounts daily.

After analyzing all these cases, the company found that a people-centric defense is best because it teaches your team to look out for themselves – and you. Here are a few of the highlights:

How Your Employees Can Stop Cybercriminals…

“The Human Factor” notes that no matter how sophisticated an attack is, it can’t succeed unless a human being falls for it. They advocate a combination of security-awareness training and risk-based controls.

Let’s start by looking at training. Take the time to train your employees to spot malicious emails. Begin with the basics – encourage them never to divulge confidential information via email. Teach them to carefully examine the email sender before they open an email. Oftentimes, phishing attacks originate from obviously fraudulent emails – the president of your company, for example, would only send a request from his work account, not a random email address that ends in a .me extension. Spotting these can go a long way toward stopping a potential disaster.

Next, keep them in the loop. Make employees aware of threats as you learn about them – even if those threats aren’t directly impacting them. If you learn of a company down the street, a competitor, or a vendor that was hit by a certain type of attack, let your team know – and give them any details you have. The more information they have, the less likely they will be to fall victim to a similar scam.

Then empower your people to feel in control of their security. If an employee questions the veracity of an email asking them to download a form or send information, don’t react negatively, even if it turns out to be a legitimate request. Praise the initiative it took to for the employee to check so that you leave the lines of communication open in case of a real attack.

Also, understand that some employees are more likely to be targeted than others. The Human Factor found that employees with privilege – access to data and systems – comprised only 10% of users but represented 50% of the most severe attacks. Educating these key employees, and putting additional safety processes and structures in place around their usage, can help prevent an attack.

Once you are confident your team understands what to look for, ensure they are doing so. Your in-house tech team can easily send a non-harmful email that mimics the look and feel of a phishing email. Have them report who opens the email and who ultimately fails for the bait. Once you understand which employees are vulnerable, you can design additional training that may improve their awareness.

Your IT team can also block any risky or untrusted URLs. Versions of the same technology that stops your kids from looking at sites that can harm them can be carried over into the work environment to protect your networks.

How a Cyber Security Team Can Help

A cyber security team can assist you in multiple ways, shoring up your defenses from both the technical and the human sides. These teams can be internal, external vendors, or a combination of both.

First, they can often take the training aspect out of the hands of employee managers and put it in the hands of skilled IT professionals. They’ll stay abreast of evolving threats and work with your employees to mitigate vulnerabilities as they arise.

As Proofpoint advocates, they can also build a robust email fraud defense network that creates customized blocking and quarantine categories specific to your business. Your defenses should scan both external and internal email sources to ensure that your organization is fully protected.

They’ll also safeguard your cloud accounts. As more organizations move to the cloud, cybercriminals are following. A trained and experienced cyber security team will keep up with the latest threats and guard your accounts against any evolving threats.

Next, they can handle what happens when someone eventually does click that malicious email – because the statistics say it’s going to happen. They can put additional layers of security in place to safeguard your business from potential damage. They can also respond quickly in a time of crisis. Since this is what they do, they are specialists in reacting before substantial damage can be done and can get you back up and running more quickly than you could on your own in the event of an attack.

Protect your bottom line

Investing in your organization’s cyber security is money well spent, considering the potentially devastating cost of an attack. By targeting humans, cybercriminals are often exploiting our instincts to help others or our desire to respond when asked for something. Want to learn more about how a cyber security team can help your employees better protect themselves – and our organization? Visit our cyber security page, and then reach out to us – before it’s too late!