A notable statistic has appeared in the cybersecurity research landscape: Phishing and pre-texting accounted for 73% of breaches in 2023. That’s according to the 2024 Verizon Data Breach Investigations Report, and the alarming use of humans as a vector for initial access is mirrored elsewhere. Arctic Wolf found that 24.4% of our Arctic Wolf® Incident Response engagements involved user action (that number more than doubles to 53.7% if you include business email compromise), and according to Identity Defined Security Alliance, 90% of organisations have experienced at least one identity breach in the past 12 months.
Numbers aside, one only needs to look at a headline-dominating breach from 2023 to see that threat actors are turning their sights toward the human element of an organisation’s environment. MGM suffered a massive breach that cost the organisations millions of U.S dollars and created extended downtime in the summer of 2023, and the entire incident began with a phishing phone call to a third-party IT desk. One call and one set of credentials started an extensive domino effect.
With these trends two new terms have emerged: human risk and human risk management. And they are more than just buzzwords repeated at tech conferences. To stay ahead of threat actors’ evolutions, organisations need to focus their security efforts on their employees and users, and work to reduce the risk they create within an attack surface.
What is Human Risk?
Human risk is the possibility of errors a user can make, either intentional or accidental, that leads to a cybersecurity incident or compromises valuable assets within an organisation.
As organisations turn to web-based applications, hybrid work models, and embrace digitisation, this risk grows. Users are now utilising credentials to log into mission-critical applications, which creates a massive risk if those credentials or access were to be compromised.
Take phishing, for example. A widely popular and reliable tactic for threat actors, a phishing email could be sent to an organisation’s growing user base, and if one user falls for the attempt, a threat actor could use those credentials to gain initial access, and then use subsequent social engineering tactics to move deeper into a system and launch a sophisticated attack. As both the use of phishing and an organisation’s reliance on credentials, applications, and users grow, so does human risk.
How Does Human Risk Turn into Threats and Incidents?
As shown above, it only takes one employee falling for a single social engineering tactic for an incident to start taking shape. Threat actors know this, so they utilise this human risk to their advantage by leveraging various tactics that prey on users.
Take credential theft, which is a growing threat among organisations across industries. Credential theft can occur through many ways, including credential stuffing, social engineering, and the reuse of passwords across applications. According to Verizon, 40% of breaches in 2023 involved credential misuse and 76% of social engineering attacks resulted in compromised credentials.
Credential theft, which provides initial or deeper access for a threat actor, can lead to sophisticated attacks like business email compromise (BEC). A recent Arctic Wolf survey found that 70% of organisations were the targets of attempted BEC attacks within the last year. Users are not only the ones who can unknowingly provide the credentials threat actors need to launch a BEC attack, they’re becoming the victims of said attack. Threat actors are seeing this growing risk, and based on these statistics, using it to accelerate their cybercrime.
It’s important to note that human risk isn’t created solely by individual user complacency. As we’ll discuss further down, there’s several factors that can increase this risk, from lack of proper access controls such as multi-factor authentication (MFA), lack of visibility and monitoring, and lack of proper security awareness training. As such, human risk doesn’t have to be accepted by organisations. As this specific attack surface grows, there are a myriad of steps organisations can take to manage it, from both a training and technical perspective.
What is Human Risk Management?
A newer term, human risk management is the process of identifying, assessing, and mitigating human risks within your organisation’s environment. Similar to the way an organisation mitigates cyber risk through vulnerability management, detection and response, and even incident response (IR) planning, a business needs to assess and reduce the risk created by humans within their environment.
Forrester, who has become a leader in this term, defines this term as “solutions that manage and reduce cybersecurity risks posed by and to humans.”
Human risk management can be achieved in many ways, and like vulnerability management, it should be ongoing, with multiple components working in tandem. If you offer one solution without the others, you’re essentially ignoring part of your attack surface.
Human risk management should include:
- Identity and access management (IAM) to ensure users’ identities are properly allocated and monitored in the event they are targeted by a threat actor
- Identity threat detection and response (ITDR) to swiftly respond to unusual identity-based behavior such as suspicious logins to an application
- Access controls such as MFA, which act as a secondary barrier in case a user makes a mistake and gives away credentials or those credentials are stolen, captured, or discovered in another breach
- Security awareness training to help users understand the risks they create, how they are targeted by threat actors, and what actions they can take to both reduce risk and respond to threats
While an organisation should do all of what is listed above, and continually assess and harden their human attack surface, it’s security awareness training that should be the focal point of any human risk management program. This training can help change an organization’s security culture and vastly reduce human risk in a proactive manner.
Human Risk Management and Security Awareness Training
Human risk management is only possible to achieve with security awareness training, and the data shows that organisations are investing in this training solution to reduce their human risk. According to an Arctic Wolf survey, 88% of organisations currently use some form of security awareness programs internally. That’s an impressive number. However, what kind of security awareness training these organisations use, and how that training impacts their employees, matters much more.
If we look back at Forrester’s definitions, they state the solutions an organisation employs should not only quantify risk, measure it, and adjust policies and training based on risk changes, but should have a goal where “satisfying requirements for security awareness training is a secondary use case for human risk management solutions while the focus stays on changing behaviours and promoting security culture.”
Showing your employees one video annually on phishing or industry compliance won’t change the organisation’s security culture, let alone make sure they are up to date on current threats and ready to defend themselves and the organisation. Human risk management needs to go beyond checking a box.
Arctic Wolf Managed Security Awareness® is fully focused on human behaviour, organisational culture, and the employment of both content and data that actively reduces human risk. This solution offers fresh, easy-to-absorb content, phishing simulations, and more, and is just one part of the Arctic Wolf suite that helps organizations harden their attack surface. Arctic Wolf® Managed Detection and Response (MDR) monitors identity sources 24×7 and our Security Teams work directly with IT teams to implement access controls and other identity-hardening measures.
Start your human risk management journey with our Complete Security Awareness Program Plan and Strategy Guide.
Explore how threat actors are targeting your users, and how you can fight back with our 2024 Arctic Wolf Labs Threat Report.
