Cyber attackers target people, exploit people, and ultimately, they are people. Assessing your user vulnerability is an essential part of good cyber defence – you need to know who in your organization is most likely to fall for a well-crafted piece of social engineering.
Social engineering works by exploiting human nature. Most people manage the volume of decisions they make in a day by using a mixture of habit, trial-and-error, and cognitive biases. As demands on our time and attention increase, so does our reliance on these routine habits. Cyber attackers recognize this, targeting users with demanding jobs, working in high-pressure departments. They know that these victims may not have the time to fully scrutinize a message before clicking a link or downloading an attachment.
In practical terms, this means knowing:
Addressing those elements, the human factor of cybersecurity is the core pillar of modern defence against cyber attacks.
Many employees work remotely or access their company email through their personal devices. They may use cloud-based file storage and have third-party add-ons installed to their cloud apps. They may handle data in riskier ways than their coworkers or they may be particularly receptive to email phishing tactics.
The easiest way to quantify vulnerability, without putting your organization at risk, is to test employee responses to simulated threats. Using phishing simulation tools is a great place to start and can provide valuable on your weakest links, with the added opportunity for consistent and engaging education.
It is also important to consider risk posed by insider threats – particularly as the pandemic inspired more opportunities for staff to work from home:
Attacks are the trigger point at which vulnerability and privilege are exposed. The more sophisticated or compelling the cyber attack, the more likely that even the most security-aware victim will fall prey to them. Attackers are always evolving and exposing defensive loopholes, so it is essential that automated defenses are dynamic enough to respond to novel threats. Security training should also be updated regularly with details from the latest campaigns
Privilege measures all the potentially valuable things people have access to — such as data, financial authority, key relationships, etc. Measuring this aspect of risk is crucial because it reflects the potential payoff for attackers and the harm to an organization, if compromised. The user’s position in the organizational chart is naturally a factor in scoring privilege, but it’s not the only factor. Naturally, high-privilege users are disproportionately targeted in attacks, however a valuable target can be anyone who allows an attacker to achieve their goal.
Also consider that privilege is also perhaps the area where organizations have the highest level of potential control.