‘Human Factor’ Report Is a Rally Cry for People-Centered Security

The Human Factor 2018 by Proofpoint, our parent company, is a report that cuts to the chase in its subtitle, “People-Centered Threats Define the Landscape.” A virtual treasure trove of information, the data revealed in the report make one thing crystal clear: end users are increasingly targeted within organizations, and cybercriminals are using human exploits to their advantage.

Proofpoint noted that there is still a healthy mix of widespread attacks — like “massive, indiscriminate campaigns in email and social channels” — and more pointed attacks, like those perpetrated by “state-sponsored groups and financially motivated email fraudsters” and attackers seeking to compromise cloud-based platforms. But regardless of the scale or scope, the red thread is cybercriminals’ focus on end users, as the report explains:

Key Data Points

The Human Factor 2018 examines social engineering trends related to phishing emails, malware, social media-based threats, and more. Here are some of the key findings:

• The brand equity of large enterprises is under attack, with suspiciously registered domains outpacing defensive brand-registered domains at a ratio of 20 to 1.
• Millions of users faced malvertising campaigns that featured fake browser and plugin updates laden with dangerous software and exploit kits.
• Cybercriminals are leveraging the lure of pirated content in their social media-based attacks. Approximately 35% of these scams tempted users with video streaming and movie downloads.
• While Proofpoint found that a “disproportionately high volume of phishing…used lures associated with the Dropbox file-sharing service,” emails disguised as DocuSign messages were far more likely to fool recipients into clicking. In fact, “click rates for DocuSign lures were the highest at over five times the average click rate for the top 20 lures.”
• More than 82% of malicious emails included ransomware or banking Trojans.
• Organizations in education, management consulting, entertainment, and media were most likely to face email fraud — also known as business email compromise (BEC) — while the construction, manufacturing, and technology industries were most frequently targeted by more traditional phishing attacks.

Advice for Improving Defenses and Minimizing Risk

Proofpoint offers the following five pieces of advice, which can help organizations take a more user-centric view of cybersecurity:

• Train your people to spot attacks that target them.
• Get advanced threat analysis that learns and adapts to changing threats.
• Deploy DMARC authentication and lookalike domain (typosquatting) defenses.
• Get visibility into the cloud apps, services, and add-ons your people use.
• Automate some aspects of detection and response.

For more details about the report’s findings and how to implement a people-centered approach to security that includes security awareness training, download a copy of The Human Factor 2018 from the Proofpoint website.