The Human Factor:
How Cybercriminals Exploit Human Behavior to Breach Security
Imagine a successful cyberattack against your organization. It might involve a sophisticated piece of social engineering, a convincing lure that catches the recipient off guard. Or perhaps a clever technical exploit that bypasses your defenses.
In reality, threat actors often don’t need to work that hard. The easiest way to breach security is by exploiting the human factor.
People are essential to any robust defense strategy, yet they often represent the weakest link. Mistakes, falling for scams, or neglecting security best practices are common pitfalls. When forced to choose between convenience and security, users almost always opt for convenience. How can organizations shift this behavior?
In this article, we’ll explore how security attitudes influence real-world actions and how cybercriminals exploit our preference for speed and convenience.
Security Behaviors and Attitudes
Even the best technical defenses can be undermined if users don’t follow basic security practices, like avoiding suspicious links, verifying sender identities, and using strong passwords.
Reasons for Risky Behavior
Users take risks for various reasons, including convenience, time-saving, and urgency. This indicates that risky actions are often a conscious choice rather than a lack of awareness.
Cybercriminals exploit this knowledge, using social engineering in almost every email threat analyzed. 58% of users who take risky actions also engaged in behaviors susceptible to basic social engineering tactics, leading to ransomware, malware, data breaches, or financial loss.
A Professional Perspective
IT providers and Security Specialists have a distinct perspective on security risks compared to end users. We are acutely aware of the threat landscape and the severe consequences of breaches. Our nuanced understanding of the challenges in securing complex, dynamic environments positions us uniquely. We face the tough task of balancing robust security measures with the need for unhindered productivity and efficiency.
Survey Data reveals that we see users with access to business-critical data as the biggest security risk (63%). This group is particularly challenging to manage due to the necessity of their access. Click-happy users and those who neglect security awareness training follow closely behind, each considered a significant risk by 56% of respondents.
Alarmingly, data indicates a significant overlap between the riskiest behaviors identified by security professionals and the most common risky actions taken by end users.
Behaviors such as reusing passwords, using work devices for personal activities, and accessing inappropriate websites are frequently cited by security teams as unsafe. These actions also appear among the top risky behaviors admitted by users. This overlap suggests that end users may not fully grasp how risky their actions are perceived by security teams.
Security Awareness Trends
Training alone isn’t enough to change unsafe behavior, but lacking basic security awareness tools and knowledge makes teams more vulnerable. Awareness programs must evolve to keep pace with new social engineering techniques.
Current State of Security Awareness
The good news is that most modern businesses have some form of security awareness program. However, many struggle to drive real behavioral change.
Coverage and relevance of training topics are also challenges. While security professionals emphasize remote work, password hygiene, and internet safety, less than a third of programs cover all these areas. The most common training topics are malware, Wi-Fi security, ransomware, and email phishing. These are important but not comprehensive enough to address the full spectrum of risks.
Emerging Threats: TOAD, MFA-Bypass, QR Codes, and Generative AI
Telephone-Oriented Attack Delivery (TOAD)
TOAD attacks involve seemingly benign messages with a phone number. When the victim calls for help, the attack chain activates. Cybercriminal call centers guide victims into granting remote access or revealing sensitive information. On average, 10 million TOAD messages are sent monthly.
MFA Bypass
Despite being a cornerstone of corporate cybersecurity, MFA is not foolproof. Cybercriminals use proxy servers to intercept MFA tokens, bypassing this additional security layer. About 1 million phishing threats using the EvilProxy framework are seen monthly, with 89% of security professionals still viewing MFA as a silver bullet against account takeovers.
QR Code Phishing
QR codes are increasingly used in phishing to evade automated detection while presenting a familiar format to users. This technique is particularly dangerous as users can’t tell if a QR code is malicious just by looking at it.
Generative AI
Generative AI can create realistic content, enhancing social engineering in messaging-based attacks. It improves the quality of lures, especially in different languages, and poses data loss risks when data is uploaded to AI services like ChatGPT and Google Bard.
Driving Behavior Change
A security awareness program is crucial but not sufficient. Data shows that while users may know the risks, they often still engage in risky behaviors. The challenge is to change this behavior, making security easier and more user-friendly.
Steps to Lead Behavior Change
- Use Threat Intelligence: Inform users about the nature and impact of threats, tailoring programs to address specific risky behaviors.
- Reduce Security Friction: Identify and alleviate bottlenecks in security processes to make compliance easier and less disruptive.
- Go Beyond Training: Foster a strong security culture through better communication, engagement, and positive reinforcement.
By integrating these strategies, organizations can enhance their security posture and reduce the likelihood of successful cyber attacks. Contact us today to learn how we can help protect your organization from evolving threats.