"See Yourself in Cyber": Human Factor in Cybersecurity

The 2022 Cybersecurity Awareness Month focuses on "people part" of cybersecurity. Learn about the human factor and how hackers use their creativity to exploit human-related vulnerabilities Since 2004, the U.S. President and Congress have declared October to be Cybersecurity Awareness Month. The initiative is aimed at promoting cybersecurity hygiene and helping individuals and businesses protect themselves against threats to technology and confidential data. The October 2022 campaign is dedicated to the “people” part of cybersecurity and goes under the common theme “See Yourself in Cyber.” Cybersecurity may seem like a complex subject, but ultimately, it’s all about humans. Trained and qualified people can strengthen any technology, but a lack of awareness leads to substantial cybersecurity gaps. While businesses understand the importance of educated personnel, hackers are becoming smarter and more creative, too. So, they make up new sophisticated ways to exploit human-related vulnerabilities. Do you know what is common between Netflix’s Squid Game and Dridex banking Trojan? Or, would you like to learn how smartphones harm your businesses? Spoiler: these are all about human factors in cybersecurity. In this article, you will learn how threat actors use their creativity to exploit these vulnerabilities and what businesses may do to minimize the human factor in cybersecurity.

Human Factor in Cybersecurity is Attached to Most Data Breaches

The human factor in cybersecurity refers to actions (or non-actions) and events that result in a data breachб whether it is related to stolen credentials, phishing, or simply misuse or an error.. The human element was attributed to 82% of breaches in 2022 so far, the 2022 Verizon Data Breach Report states. Regardless of the reason, the cost of human error adds up. According to the IBM investigation, the average price of data breaches from human error stands at $3.33 million. Impressing, isn’t it? And this may become an unbearable burden for many businesses.

Hackers Use Any Opportunity Presented by People

To address the human factor in cybersecurity, companies must understand how hackers detect and exploit human-related vulnerabilities. Proofpoint’s 2022 Human Factor Report shows 2021 as a year when cybercriminals were highly creative and applied increasingly sophisticated methods to use any opportunity presented by people.

Smartphones are the Keys to Personal and Professional Lives

54% of people use their personal phones for work purposes, as Proofpoint’s 2022 Human Factor Report states. For employees, this means blurring lines between personal and professional and making them vulnerable to cyber threats. For hackers - the ability to access employees’ credit card information as well as their employer’s network. This makes smartphones a desirable target for cybercriminals. The often used tactic for smartphone penetration is SMS-phishing, or simply “smishing.” Launching a smishing campaign, hackers rely on psychological triggers, as people tend to be much more responsive to mobile messages than to e-mails. Smishing attempts more than doubled in the US over the year. In addition, cybercriminals initiated more than 100,000 telephone-oriented attacks a day.

Cloud Account Compromise

Along with phishing, cloud attacks have become a permanent feature of the modern threat landscape. Over 90% of cloud tenants were targeted every month in 2021. A quarter of those was attacked immediately, while 65% were compromised during the course of the year. Brute-force attacks are the most common methods of cloud accounts compromise. At the same time, Microsoft OneDrive and Google Drive are the most common cloud infrastructure platforms attacked by threat actors. On average, approximately 10% of organizations were found to have at least one authorized active malicious application in their environment.

High-Privilege Users are at Higher Risk

Hackers target businesses’ higher-ups. Managers and executives make up only 10% of overall users within organizations. At the same time, this group represents almost 50% of the most severe attack risk, as Proofpoint’s Report estimates. Similarly, departments that deal with sensitive information - e.g., finances and human resources - are at higher risk than other departments. Hackers estimate privilege-based vulnerabilities and exploit them for their criminal purposes.

Remote Work-Specific Data Breaches

The COVID-19 pandemic has become the main accelerator of remote work. It also opened the pathway for cyber criminals who can target victims working remotely. According to IBM Data Breach Report 2022, the average cost of a data breach was more than $1 million higher when the remote-work factor was involved compared to violations in which working remotely was not a factor.

Attackers Piggyback on Pop Culture

We know about malicious activities around tax returns, seasonal holidays, and job listings. More on this read in our article Stay Safe from Cybercrime amid Vaccination and Tax Time. Nowadays, the attackers have gone even further, making up more sophisticated attack methods. Threat actors use popular figures such as pop stars, actors, and even popular shows and series in their lures. For instance, criminals profited from using the Netflix series Squid Game. In October 2021, after the series teared up the global audience, criminals sent Squid Game-themed emails to victims in the U.S. Hackers promised early access to the next season and even the opportunity to be cast in future episodes. Once criminals were persuaded to download the attached file, a Dridex banking Trojan was installed immediately. So, their data were compromised. Campaigns like this appear in the landscape as quickly as cultural moments or newsbreaks inspire them. So, businesses must keep track of them and apply automated email defense capable of spotting dynamic threats as they emerge and recede.

Recommendations on Dealing with Human-Related Vulnerabilities

The list of vulnerabilities is incomplete and may get updated as quickly as new opportunities arise. Businesses must implement special measures to minimize these human-based vulnerabilities and safeguard their operations. CISA and NCA highlight key action steps that everyone should take to strengthen the human firewall:

• Enable Multi-Factor Authentication
• Use Strong Passwords (and keep them secret)
• Recognize and Report Phishing
• Update Your Software

In addition to CISA recommendations, we add some other tips that would help your business to keep safe.

Conduct Security Awareness Training

Create a solid human firewall - a virtual line of defense created by humans to combat an organization’s security threats. One of the ways to strengthen the human firewall is by conducting regular security awareness training and supplementing it with strong technical access controls. What is the security awareness training, and how should it be conducted, read in Security Awareness Training. Important Things to Know.

Use a VPN when Accessing Public Wi-Fi

To minimize human factor risks, organizations should consider all Wi-Fi encryption standards as flawed and should not be trusted (remember about the zero trust approach). Using a Virtual Private Network (VPN) while using your personal smartphone or laptop outside the office offers an additional protection layer for keeping data safe. A VPN installed on your employees’ mobile devices safeguards their online activity from falling into the wrong hands via unsecured Wi-Fi spots. So, employees could work at home, in a cafe, or even at the airport with more protection.

Use MFA as a Countermeasure to Password-Based Vulnerabilities

MFA (Multi-Factor Authentication) is an authentication method that requires users to provide two or more verification factors to access a resource. MFA is based on one of three types of additional information: knowledge (password or PIN), possession (e.g., hardware MFA tokens, smartphones), and inherence (fingerprints or voice recognition).

Manage Access Properly

With many existing accounts and a dynamic workforce, e.g., new hires, promotions, relocations, etc., granting and maintaining the right access to the workforce can be messy. Establish a robust process to ensure that access on all systems is current and provided based on the “neet-to-know” principle. Remember, new tips and recommendations will arise as hackers invent new methods to exploit human-related vulnerabilities. Beware of the principal human-related vulnerabilities and #SeeYourselfInCyber. Follow up on our recommendations, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!