In cybersecurity, threats are constantly evolving as hackers try new tactics and change objectives. For example, just a few years ago, ransomware was the most discussed trend in security, but now it may be going extinct. Ransomware accounts for as little as one-tenth of 1 percent of the attacks that IT security firm Proofpoint says it sees.
People, on the other hand, do not change quickly. They have been the weakest link in the attack chain for as long as there have been cybersecurity threats, and they likely always will be. The fact is, while much is made of technically sophisticated hacks, most threat actors use a combination of cunning and social engineering to steal users’ credentials or get employees to take unwitting actions on hackers’ behalf.
So Jennifer Cheng, Proofpoint’s director of solutions marketing, wonders why organizations continue to focus most of their security efforts on technologies to protect networks from attacks or discovering and patching vulnerabilities, while paying relatively little attention to workers, beyond perhaps the occasional data hygiene training seminar.
Email Needs a Larger Share of Cybersecurity Spending
According to Gartner, 62 percent of IT security spending goes to network technologies, and another 18 percent to the endpoints. Only 8 percent is devoted to email security, even though email is by far every organization’s greatest threat vector. In its 2018 Data Breach Investigations Report, for example, Verizon notes that 93 percent of all breaches are attacks on people, and that 96 percent of those attacks originate via email.
“The threat landscape has largely been defined in recent years by social engineering,” Cheng told attendees of RSA Conference 2019, which is taking place this week in San Francisco. “The nature of the attacks are evolving. Today, attackers overall are looking to attack individuals.”
As evidence, Cheng shared an email chain, sent from a person calling himself Matthew to a woman named Ariana, who worked for a restaurant. Matthew claimed to be trying arrange a birthday party for his son, but in reality wanted to get Ariana to open an attachment. The attachment was blocked by the organization’s anti-phishing software, but Matthew was persistent, seeking other email addresses, including personal addresses, to send it to.
How to Spot Employees Vulnerable to Phishing
Cheng noted that while hackers will try anyone, there are certain individuals within every organization who are more vulnerable to an attack than others. Identifying these VAPs — or “very attacked people,” as Cheng called them — ought to be a basic element of every organization’s cyberdefense strategy, she argued.
VAPs are defined by three characteristics, Cheng said. First, their behavior tends toward the reckless; more than other employees, they click on malicious content, fail security training, or use risky devices or cloud services. Second, they have access to valuable data because of the nature of their jobs. Third, because of the first two factors, they’re targeted more by sophisticated phishing attacks.
“Most people like to say the executives are the most attacked people in the organization, but we rarely see that,” Cheng said. More often, it’s people in customer service or other public-facing roles that require frequent email exchanges with unknown people.
Organizations can find such people manually — by checking email logs, for example, and by holding regular anti-phishing training — or they can use technology to help pinpoint their own VAPs more efficiently. “If you can identify them early, you can take action to mitigate the threat,” Cheng said.