Understanding People Centric Attacks
Most cyber-security breaches are the result of human vulnerabilities, not a failure in technology or process as mentioned in the latest report published by the Economist Intelligence Unit. People Centric Cyber Attacks means attacks such as email spoofing, phishing, ransomware and other malware attacks targeted towards a person or a group of persons in order to steal valuable information such as passwords, keys, fingerprints, and other credentials.
“People-centric threats — from phishing to lost or stolen devices to activity on an unsecure network to lost or stolen passwords — can be at least as crippling as more arcane technical glitches and oversights. This poses a delicate problem. While companies can exert some control by introducing better security measures such as two-factor authentication, centralised logging, and restrictions on web browsing and personal email, they must ultimately depend on human beings to follow best practices and share information about incidents, which can help them anticipate and prevent similar events.”
The report published after surveying more than 300 corporate executives, including CIOs, CISOs and other IT executives, finance and line-of-business leaders, with roughly equal numbers located in North America, Europe and Asia/Pacific states that system misconfigurations and accidental exposures are the second most frequently cited vulnerability to the ones driven by human error.
Where do attackers mostly look to exploit vulnerabilities?
Clients and customers are the group most often targeted in data breaches; the next most likely are all either employees, contractors or people closely connected to them. This finding underscores the reality that network vulnerabilities can easily extend beyond the company’s area of direct control. It also highlights the need for companies to understand the degree to which some employees, because of their visibility, work routine or level of data privilege, may be more vulnerable to attacks than others.
A high-profile employee may be the target of more sophisticated malware attacks; one who has access to the CEO may be hit by phishing attacks that spoof the CEO or other executives. Assessing vulnerability involves considering such factors as what cloud apps the employee uses, how many and what devices, their level of access, how frequently they are targeted and, of course, whether they practice good digital hygiene.
How to enhance people-centric measures to prevent cyber attacks?
Enhancing people-centric measures to prevent from cyber attacks begins by conducting pre-employment screening and background checks while hiring an employee. No organization would want to hire someone who pose a risk, would they? It follows requiring the employee to sign confidentiality agreements and clarifying him/her the clear consequences of negligence as per the law.
A concrete security policy for employees should be in place beforehand and must be briefed properly. Such policy must clearly define employees’ access to personal emails, web browsing, monitoring of user accounts and limit access to specific data types. Security awareness and training sessions for both technical and non-technical employees must be conducted regularly in order to familiarize them with the latest security trends.
Note — This article is based on a briefing paper titled “Cyber insecurity: Managing threats from within” published by the Economist Intelligence Unit report, sponsored by Proofpoint. To prepare this report, the EIU surveyed more than 300 corporate executives, including CIOs, CISOs and other IT executives, finance and line-of-business leaders, with roughly equal numbers located in North America, Europe and Asia/Pacific.