When it comes to analysing your attack surface, you’re probably assessing vulnerabilities, monitoring your firewall, tracking email security, and managing your identity and access management. But there is one part of the attack surface that often gets overlooked, and for that reason threat actors are targeting it with increased frequency, causing it to jump to the top of the initial access methods list: the human element.
The human element, meaning your organisation’s employees or users, makes up a significant percentage of incidents and breaches. According to the 2023 Verizon Data Breach Investigations Report, 74% of breaches involved the human element, including “error, privilege misuse, use of stolen credentials, or social engineering.” If you isolate social engineering, Verizon saw that factor in 17% of breaches and 10% of incidents in 2022. Phishing, a specific social engineering tactic, was seen in 6% of cases.
Those numbers show a clear trend of threat actors seeking out users and exploiting them to gain access and launch cyber attacks.
And yes, while humans are a target, they’re not, despite what some claim, a weak link. In the same way a firewall or MDR solution is, these users can be a major line of defense and a crucial part of the security environment.
What Causes a Data Breach: Human Error
Threat actors prey on users because they hold the keys to the castle. They have credentials that can be stolen, especially with poor password hygiene, their endpoints have access to a variety of applications and assets, they often have privileged access to sensitive information, and, unfortunately, they often aren’t well trained in preventing these kinds of attacks.
Arctic Wolf’s 2022 data mirrors Verizon’s, with user action comprising 28% of all root points of compromise, and social engineering accounting for 16% (12% phishing, 4% other social engineering tactics).
Social Engineering Tactics
The anecdote is a common one: an unsuspecting user gets an email that looks like it’s from IT and it’s asking for access to an asset or login credentials. The user, without thinking, clicks the provided link, and a cyber incident begins thanks to a successful phishing attack. Phishing the most prevalent of all social engineering tactics currently, which is why it’s separated in the data above. It can be used to steal credentials, gain access to applications, and can be utilised during multiple stages of a cyber attack.
There are plenty of other social engineering tactics threat actors use, from smishing to spear phishing to business email compromise (BEC), which often makes up it’s own category as an attack vector, and all prey on human psychology to succeed. They hope the user is trusting, and possibly in a hurry, so they will agree to the request or click on the link without taking the time to think about it. It’s simple, and as shown above, wildly successful.
It’s not your users’ fault, however. They aren’t the weakest link, and they aren’t doomed to be an unmanageable part of the attack surface. They just need proper training to become part of the security environment and help reduce risk.
How a Lack of Security Training Increases Human Risk
The issue with training is that many organisations are not conducting it effectively.
According to the Arctic Wolf 2023 Trends Report, 40% of organisations are looking to upgrade their security awareness training in the next 12 months. That statistic is encouraging, but also shows how unprepared those organisations currently are.
Not having adequate training can put your users in a position where they are not only unclear on how to protect themselves and their organisation’s data, but they also don’t know what threats even exist, or why staying secure should matter. It creates a culture of apathy where security is not seen as a priority. In the same way that a lack of endpoint monitoring implies your organisation doesn’t value visibility into your security environment, a lack of proper training implies a lack of caring about user security.
That apathy is what threat actors are taking advantage of.
How To Prevent Human Error in Cybersecurity
There are many ways to reduce the risk of human error. From the technical to the psychological, it’s best if an organisation takes a holistic approach, utilising multiple methods to create layers of defense.
Organisations can prevent human error by investing in effective security awareness training.
Security training for users is effective when it:
- Utilises up-to-date content that reflects current threats user’s may face
- Empowers users to be the first line of defense, and doesn’t shame them when they lack knowledge
- Uses phishing simulations to help users see what real-world attacks look like
- Employs microlearning to help users remember vital nuggets of information instead of packing it all in annually
- Fosters a culture of security at every level of your organisation
As mentioned above, a strong defense is a holistic one, so in addition to security training organisations should employ other methods to neutralise social engineering attacks and reduce human error. Those techniques include:
- Implementing multi-factor authentication (MFA)
- Investing in identity and access management that follows a Zero Trust framework
- Utilising email security that can identify possible phishing threats
- Using a monitoring solution that can detect and respond to threats such as suspicious logins or concerning user behavior
Learn more about how to instill a culture of security with our complete guide to security awareness training.
Better understand how your organisation’s users are targeted with our Big Business of Cybercrime report.