Whether through insider threats and account compromise, or targeted phishing and malware attacks, our people continue to play a huge role in modern cyber attacks. Just one errant click or hasty download can open our organisations to data loss, reputation damage and service interruption.
To protect our people and defend our data, we must look to break the attack chain as early as possible—before cyber criminals breach our perimeters. In this post, I’ll break down the importance of security culture in achieving this aim and the integral part that users play in this process.
The human hole in the attack chain
Initially coined by Lockheed Martin, the term “attack chain” or “kill chain” refers to the different stages of a cyber threat. The idea is to look in detail at how threat actors make contact, how malicious payloads are delivered and run, how data is exfiltrated, and so on.
Once you break down an attack into these phases, security teams can assess their detection mechanisms, protective controls and response plans at every stage, rather than approaching a cyber threat as one big amorphous attack to try to prevent.
We know attacks on people are not new. Attackers build a profile to establish who is likely to have access to the data or credentials they want. Their targets acquired, malicious actors will then look at the best way to compromise those individuals, whether directly via email or social media or by weaponizing a trusted third party.
In most cases, the delivery method is email for the simple reasons that it is easy, accessible, inexpensive and can be deployed at scale. It’s the perfect tool for attackers. Social media information is often used at this stage to tailor messaging to the target’s interests, taking advantage of the human element in the exploit even further. When all this social engineering comes together, it’s all too easy for the user to engage.
With an account compromised, an attacker will move laterally within networks, targeting more individuals to escalate their admin privileges. But now, the bad actor is armed with the legitimacy of a “real” internal account that other users won’t suspect is compromised.
Defence starts with awareness
People-centric cyber attacks require a people-centric defence. And the first step toward achieving that defence is awareness. Users must understand the risks they face and how they are expected to behave when they face them. That’s the baseline.
Just as we must understand the basics of the rules of the road and traffic signs before we can drive, your people must understand the security basics before they can defend your data.
But of course, we need to go further. Awareness is one thing, but actual behaviour is another.
To continue with the driving analogy, just because you know there is a 30 mph speed limit doesn’t mean you know exactly when it is applicable—or that you will stick to it. That’s why we have road signs, speed cameras and traffic police. Their equivalents in cybersecurity include awareness content, competency tests and phishing simulations to determine whether our people are performing as expected.
But what about when no one is watching? How do we reduce the risk of our people breaking the rules when they are unlikely to be caught? Well, why do many drivers obey speed limits when no one is watching? Usually, the answer is habit and societal expectations—or culture. And we must take this approach in cybersecurity, too.
The backbone of security culture
A simple starting point when building a security culture for your organisation is reminding your people of the “rules” and their responsibilities.
The more you see a 20 mph sign, the more aware you are that you should be driving at 20 mph. The same is true of regular training and visible resources around security best practices. This security awareness training ensures your people know what they should do.
Next is to focus on why it’s important. Discussions on the fatality difference between 20 mph and 30 mph, explanations of nearby school crossings, or previous accident rates at a traffic hot spot all talk to the possible consequences of driving too fast. Get this message imprinted, and users will recognize showing the right behaviours isn’t just an act of compliance, it’s important!
Finally, we want to see widespread adherence to these rules. And we want to see societal acceptance for those who decide to adhere to the rules, and pressure on those who don’t. That pressure can be subtle but effective. A user doesn’t want to be the odd one out who drives through a stop sign when everyone else stops.
The analogy isn’t perfect—few are. But by building a culture, whether for security or for driving, we can increase the chances that people will make the right choices, even if they aren’t being watched by the CISO (or the police!). At the point that your people are behaving in this way, everyone in your organisation becomes a security champion. Everyone cares about making the right choices as often as possible, giving you a strong backbone to fight cybersecurity threats.
Empowering your people to break the attack chain
A strong security culture is undoubtedly the best defence against targeted, people-centric cyber attacks. But it is not a quick fix. You cannot jump straight to it.
First, you need to understand where you are in terms of awareness. From here, you can focus on training, building knowledge, and understanding and laying the foundations of your cyber strategy. This means regular mandated learning, in context with the threats of the day, targeted at those who need it most.
The more your people know about cyber threats, the impact they can have, and their role in keeping them at bay, the quicker unsafe behaviours will change. And it is only from this baseline that you can build a security culture capable of breaking the attack chain before your perimeter is breached.
Find out more about how Proofpoint can help you to break the attack chain. Also, be sure to download the Proofpoint report, 2023 State of the Phish to learn about the biggest regional cyber threats and how to make your users your best defence.
Subscribe to the Proofpoint Blog