[BreachExchange] Shifting Your Cybersecurity Strategy to Stop People-Centric Threats

[Destry Winant]

https://securitycurrent.com/shifting-your-cybersecurity-strategy-to-stop-people-centric-threats/

Keeping companies safe from determined cybercriminals is an everyday
battle as threats continue to evolve and business practices change.
For many security teams, the question remains: What steps should
organizations take today, and what should they anticipate tomorrow?

According to Bhagwat Swaroop, EVP of email security for global
cybersecurity company Proofpoint, the threat landscape has shifted
away from traditional hacking of computers and networks. Now there are
targeted attacks against people, specifically tricking users into
clicking on nefarious content or taking an ill-fated action. These
technically simple yet customized attacks often use social engineering
to con people into becoming unwitting accomplices.

As a result, organizations need to look beyond firewalls and filters
and adopt a “people-centric” approach to enterprise security.

While the nature of today’s cyberthreats has shifted, the main attack
vector remains email. According to Verizon’s 2018 Data Breach
Investigations Report (DBIR), email served as the main entry point in
96 percent of data breach cases. Because of this dynamic, Swaroop
believes it is crucial that organizations prioritize security
resources around their biggest challenge and most vulnerable
communication channel, email.

Compounding the problem, employees can’t always recognize fraudulent
emails aimed at stealing their credentials or getting them to wire
funds. “While the security team is rightfully concerned with putting
security solutions in place, it only takes one employee to unwittingly
click on one suspicious email to let the bad guys in,” Swaroop notes.
“That human tendency is just one reason why every security program
needs to include security awareness training as part of its strategy.”

Earlier this year, Proofpoint commissioned a survey which found that
77 percent of global IT decision makers believe that their company is
either “likely” or “very likely” to be targeted by email fraud in the
next year. Email fraud attacks generally don’t contain malware
payloads, but do resemble actual company emails by employing the same
wording, logos, and familiar references to impersonate a trusted
entity. They can also spoof real identities by masking fraudulent
addresses.

“Social engineering is easy for bad guys to do,” Swaroop says. “They
simply conduct search engine or LinkedIn research on their potential
victim. It’s much easier and far less expensive than cracking an
encrypted database or finding a backdoor into a corporate network. Why
would cybercriminals go through the trouble of trying to break through
the door when an employee can open it from the inside with a simple
click? That’s why phishing campaigns are particularly prevalent now –
they’re quick, easy, cheap, and highly effective.”

Phishing attacks are also very effective in industries that regularly
deal with outside vendors. “If I get an email from somebody in the
same company, I might already know the individual and can always pick
up the phone and confirm that the person who sent me the email is the
person I know,” Swaroop says.

But when you work in a large network of sister companies, partners,
outside vendors or third-party suppliers, you often must trust
strangers at face value. Transactions happen at arms’ length, and the
employees making the payments are not always the employees with the
relationship to the organization, making verification a more
cumbersome task.

Attackers’ mindset

Once they’re in, what are attackers after? While their motives are
often financial in nature, there are other possibilities as well.
These include accessing embarrassing information, mapping out an
organization’s organizational chart for future attacks, hijacking an
email conversation, obtaining trade secrets, or stealing intellectual
property.

“It’s a spectrum,” Swaroop says. “Whatever the motive, the cost and
difficulty for launching a phishing attack is marginally low – almost
zero. For the victims, however, it’s a different story.”

Often when an employee’s personal information is stolen, it has
lasting consequences. One of the most insidious things about phishing
attacks is how swift they can occur without the victim’s knowledge.
There’s also the residual damage inflicted onto others. “One
compromised employee can expose their entire company to the same
threat—all it takes is one click,” Swaroop says.

Doing something

So, what is the ideal security solution? Foremost, Swaroop believes
organizations must think from an attacker’s perspective and understand
who is being targeted, through what means, and their role in the
company.

Attackers typically pursue people with access to important data and
those who are likely to make a mistake and expose a critical cache of
information. Once organizations understand who among their employees
are the most targeted, they can develop a people-centric security
strategy to best protect them. Keep in mind at some companies a
compliance officer might be a bigger target than the COO. It’s all
about who can access what data.

“In the end, it’s a numbers game. Think about an organization being
targeted by hundreds of attacks. If there are methods you can put in
place that automatically block 95 percent of those attacks in the
cloud before they hit the email gateway, then your security team is
working with a much more manageable number,” Swaroop says.

Organizations should also put systems in place like sender
authentication, dynamic email classifications, machine learning
capabilities and display name spoofing defense techniques. They should
be on the lookout for any shady domain names that almost match a
website. It’s also important to complement security technology with
consistent employee security awareness training.

“Each of these best practices protects a certain percentage of attack
vectors,” Swaroop said. “A combination of all these techniques applied
together should put organizations in a better position to prevent
email fraud.”