Combating phishing and social engineering threats [Q&A]

The majority of cyberattacks are made possible by some degree of human error. Phishing emails and social engineering continue to dominate as the most common delivery systems for an attack.

We spoke to Mika Aalto, CEO and co-founder at Hoxhunt, about why a human-focused cyber-strategy is the key to success in combating attacks, about the initiatives that organizations can implement to establish this and how he expects human-related cyber-attacks to evolve.

BN: According to the World Economic Forum, 95 percent of modern cybersecurity incidents can be traced back to human error. What has led to this?

MA: Employees and their email inboxes provide one of the simplest and most profitable paths to infiltrating corporate networks and company systems. Today, bad actors can effortlessly socially engineer unsuspecting and ill-equipped employees, much easier than trying to hack technical perimeters protected by many advanced security solutions. Given this, the vast majority of data breaches will continue to involve the human element.

The term 'human error' is technically accurate but it misplaces the blame for data breaches on people, while understating the sophistication of organized cybercrime and obscuring the danger posed by threat actors, who are globally costing businesses hundreds of billions of dollars a year. They expend great time and skill at duping people into handing over access to sensitive company data.

BN: Why are traditional approaches to changing employee security behavior failing to effectively safeguard against most human-centric attacks such as phishing?

MA: Traditional computer-based security awareness training has historically been designed and implemented in order to meet compliance requirements or in more recent times to reach qualifying expectations for cyber-insurance. Not to change security behavior among employees or alter attitudes towards organizational risk. The quiz-based techniques offered with old-school awareness training are often too infrequent for any lessons to stick, too tedious to create enthusiasm for the subject, and too punitive to motivate engagement.

For that reason, as of 2023, more organizations are beginning to alter their approach to security training, especially as organizations face a rising number of phishing, social engineering and BEC attacks. A recent Gartner report stated that in order to re-focus security training and achieve positive change, organizations must rescope and restructure their awareness training programs and instead invest in the creation of a security behavior change and culture program, enriched in behavioral science and data analytics to improve risk posture via measurable culture change. For too long, hackers have been developing their technology and tactics and targeting people, while awareness solutions have not. This marks a significant evolution within security training.

BN: What new malicious tactics and techniques are cybercriminals utilizing to deceive employees?

MA: Strategically, attackers have increased supply chain attacks to get access to a more secure and valuable target via a less secure entity in their digital ecosystem. In terms of tools and technology, we're witnessing the dawn of a new age with the introduction of ChatGPT, bringing AI to the people. Attackers can now craft perfectly-worded phishing emails and automate highly compelling phishing campaigns in which a chatbot can 'talk' to a victim in the voice of specific person. Deepfake audio and video also takes imposter attacks to a whole different level. Aspiring hackers can even create malware without knowing how to code with ChatGPT, further lowering the barrier of entry to cybercrime.

BN: How can security operations centers handle the dramatic rise of threats being reported?

MA: The real problem is if, despite major increases in global phishing attack volume, your people aren’t reporting more threats. Security teams should be seeing a steady uptick of threat reports in their threat feed that keeps pace with the steady rise in attacks. Increased human threat detection yields more threat reports to analyze, and that is a great 'problem' to have. Your humans are the eyes and ears of your security system. They will alert you to the sophisticated attacks that have bypassed your technical protections to help you catch and contain an incident before it spreads. A stagnant threat feed is a warning sign of an un-engaged security culture. A threat report is a terrible thing to waste.

Recent advances in AI make it is possible to implement SIEM/SOAR automation that removes most of the time-and-resource-consuming SOC analysis work that has traditionally gone into making sense of the hundreds, or thousands, of data points populating the threat feed. Leverage a human risk management platform that does the heavy lifting for you. I've spoken with companies who have cut five full-time-equivalents' worth of SOC analyst work per month with AI-enabled automation that orchestrates threat reports, categorizes and neutralizes phishing campaigns, unclogs the threat feed of SPAM, and ultimately frees up security leaders to focus on the incidents that matter.

BN: How can CISOs and security leaders more effectively communicate the business value of achieving measurable risk reduction from the human attack surface?

MA: When communicating the value of a security program, focus on the business value that an investment is bringing and explain its ROI in business terms, not technical. CEOs and CFOs want to see a return on their investment along with increased efficiency, and a good human risk management program lends itself to the task. Behavior change data provides increased visibility into organizational risk, and the CISO can report on interventions made to mitigate that risk. Just as cars require brakes to go farther, faster, without crashing, position human risk management as a growth driver, and never as a blocker.

As training progresses, human resilience should increase, and the risk of a data breach will decrease. This relationship can be visualized with the resilience ratio, which is employee training engagement rate divided by phishing simulation failure rate. The higher the number, the more resilient your organization is. Also, keep track of the volume of detected real threats, and make sure leadership understands that each suspicious email that gets reported signifies a potential data breach that was averted as the malicious email was removed from the system.

Image credit: tashatuvango/depositphotos.com