People-centric security: Empower your people to protect your organisation
By any metric, 2020 was a busy year for cyber criminals. A combination of COVID-related disruption and increasingly sophisticated threats saw more organisations fall victim to common cyber attacks.
Proofpoint’s 2021 State of the Phish report found that 57% of organisations suffered a successful phishing attack last year. The consequences were far-reaching and damaging. Almost two-thirds lost data as a result, with half experiencing account or credential compromise.
Another old foe, ransomware, remained a scourge for organisations in 2020. While the prevalence of attacks was similar to previous years, more organisations are playing ball and handing over ransoms. Unfortunately, with mixed results.
Of the two-thirds of organisations that suffered a ransomware attack last year, half opted to pay the ransom. Just 60% regained access to their data after the first payment. Others were met with additional ransom demands or no response at all.
That old tricks like phishing and ransomware are still fit for purpose and should worry cyber security teams. While the fallout of the pandemic certainly impacted last year’s cyber attack success rates, it was just one part of the problem.
What’s arguably more concerning is the increasingly convincing and focused nature of modern threats. Cyber criminals continue to increasingly target your people rather than your networks or infrastructure.
And while technical protections continue to advance at pace, user awareness is still not up to speed. For as long as this remains the case, organisations are effectively bolting the front door while leaving the back door unlocked.
Closing the awareness gap
User awareness is the most critical tool in your cyber defence arsenal, and as important as any technical protection or control. Despite this, it is rarely afforded the same level of focus or resource.
Almost 100% of organisations have a security training programme in place. However, a look behind that statistic reveals the true story.
For almost half of those organisations, security awareness training takes place no more than four times per year. And even then, the majority spend fewer than two hours on the subject. To compound the issue, only half carry out company-wide training, with just 60% delivering formal training sessions in-person or virtually.
This lack of comprehensive training is clearly reflected in user awareness. With high-profile attacks never far from the headlines, it will surprise many to learn that just 33% of users correctly understand the definition of ransomware. An equally concerning 65% and 63% understand malware and phishing, respectively.
While this may seem unbelievable to cyber security professionals, it highlights the gulf between recognition and understanding.
Your users may be aware of household and globally recognised brands that have fallen victim to phishing or ransomware attacks. But that doesn’t mean they understand the mechanics of the threat. And it certainly doesn’t indicate an understanding of their role in defending against it.
To close this knowledge gap, security awareness programmes must go beyond the basics of common threats, educating users on their cyber security responsibilities.
Identifying your very attacked people
In order to better protect, you must first understand who is being attacked. This can then help you to deliver the right education to the right people, based on which users are most at risk. At Proofpoint, we call those users your 'very attacked people' (VAPs).
You should let go of any preconceptions you may have when undertaking this research. Your VAPs can sit in any role at any level of your organisation. While attacks on VIPs such as board members may be more lucrative, attackers often target those lower down the hierarchy. VAPs also vary significantly between organisations and across industries.
In a recent example, Proofpoint observed that the top 20 VAPs of a large healthcare organisation were also VIPs. On the contrary, only one VIP was targeted during the same three-month span at a financial organisation.
And this is just a snapshot. Much like security awareness training, identifying VAPs is not a one-time activity. They will always change over time, with users dropping in and out of the most targeted list from month to month.
Once your VAPs are identified, you can assess their security awareness levels. With this information, you can build tailored training programmes. Programmes that deliver education in the context of individual risk profiles and focus on critical gaps in user knowledge.
This is people-centric cyber security. And it is often the only thing standing between cyber criminals and your data, networks and systems.
Building a people-centric cyber defence
Cyber criminals are steadfast in their commitment to attacking your organisation. If you fail to show the same commitment to defending it, the outcome is all but predetermined.
Technical controls, processes, and best practices are not enough on their own. User behaviour is the biggest risk factor for the modern organisation. And changing that behaviour is paramount to a robust cyber defence.
This is only possible by creating a culture in which cyber security is not just a concern for IT. It is everyone’s responsibility. This culture is nurtured through regular, in-context awareness training. Training that is tailored to your users, that is based on live threat intelligence and the ever-evolving threat landscape. The more that is known about attacks against the organisation, the better tailored the training can be.
You are not just training users to pass a test. You are training them to defend your organisation. Your security awareness training programme must reflect that. It should go beyond dictionary definitions and simulated attacks. It must focus on behaviour and how that behaviour increases risk. Involving users on a technical level can also help increase engagement.
When users understand the link between re-using a password and a data breach or clicking a link from an unknown sender and ransomware, behaviour changes: 80% of organisations say security awareness training has reduced susceptibility to cyber attacks.
Cyber security is no longer just a technical discipline. In the age of people-focused attacks, knowledge and awareness are key. The more your users know, the safer your organisation.