Cyber-criminals aren’t going after your business software anymore – they’re going after your people. Cyber-attacks that target people rather than systems are now one of the leading causes of data breaches against organizations around the world.
Experts say the reasons for this are clear. “Water flows downhill,” says Ryan Kalember, EVP of Cybersecurity Strategy at leading email security vendor Proofpoint. “It is so much easier to target a person than it is to target a sophisticated modern operating system or cloud infrastructure. Attackers are simply going after the weakest link.”
Threats that aim to compromise systems, such as viruses, ransomware and malicious URLs remain a major challenge to businesses. But now, attacks that target people, such as phishing and account compromise are two of the leading ways that cyber-criminals are scamming organizations around the world.
These threats can be highly sophisticated. Smart cyber-criminals spend a lot of time researching their targets, using information from LinkedIn for example to research and identify the best targets within an organization.
With the right person in mind, cyber-criminals can target these individuals with social engineering attacks like phishing, with the aim of gaining access to their accounts or tricking them into making a payment.
Criminals often move laterally across the organization, compromising one key account and then using that access to target it’s contacts. This is known as ‘business email compromise,’ and it’s one of many growing challenges to organizations as attackers move to target people rather than systems.
Who is most at risk?
Knowing who within your organization is most at risk of being targeted with cyber-attacks is a critical first step for organizations to protect themselves against data breaches and financial loss.
Identifying who the most targeted people are within your organization means you can implement the strongest threat protection policies for these particular users.
Research from Proofpoint reveals that the most targeted people within the organization is not necessarily always who you would expect. Their 2019 Human Factor Threat report revealed that “very attacked people (VAPs), represent a significant area of risk for organizations.”
These VAPs are not always C-level executives and company directors. “A CEO’s executive assistant is statistically more likely to be a very attacked person than the CEO,” Kalember says.
“Anyone who can move money is a likely target.”
Proofpoint’s research found that ‘very attacked people’ within an organization are most commonly those with easily discovered identities, with 36% of highly targeted individuals having public contact details via corporate websites, social media and blog articles. 23% of executives who are most targeted by email threats have contact details easily found by a Google search.
Proofpoint’s Attack Index
Proofpoint discovered this data by developing their Attack Index: an aggregate measure of cybersecurity risk for individuals in an organization. They provide this to help organizations more intelligently allocate security features to the most targeted people within their organization.
“We couldn’t just count the number of attacks people were getting, because are lot of them are junk,” Kalember says. Instead, the Attack Index uses data like how many organizations were targeted in an attack, how advanced the attacker was, and how dangerous the malware involved was in order to measure attack sophistication.
With this data Proofpoint can “take a broad look across the organization and end up seeing these patterns in terms of who is highly targeted,” Kalember says.
The most attacked people within an organization varies by industry, Proofpoint’s data reveals. The most attacked industries globally in 2018 were financial, manufacturing, technology, healthcare and retail.
However, education, heavy industry and healthcare are the most likely industries to have the highest numbers of specific, very attacked people inside their organization.
Targets are always changing
Kalember says that Proofpoint has observed shifts in how very attacked people are targeted, which reveals interesting patterns.
“Right in the middle of the COVID crisis, we saw a shift from payable, administrative accounts being targeted, over to some of the clinical titles,” he says.
“We saw epidemiologists, hospice care personnel, very different people being targeted by different sets of attackers. These trends aren’t static over time.”
It’s clear that very attacked people within your organization may not always be who you first assume. Every organization struggling with cyber-threats must identify who is at risk from cyber-attacks, and put in place strong measures to protect them.
How you can protect your ‘Very Attacked People’
A crucial step to protecting your employees is making sure that anyone in your organization with access to bank accounts or financial information has multi-factor authentication implemented on their account. This helps to prevent attackers from gaining access to accounts, even if they are able to gain access to usernames and passwords.
We also highly recommend that organizations being hit by sophisticated phishing accounts implement a secure email gateway. These solutions sit in front of your email environment, and block inbound malicious emails from being delivered. These solutions can help you to identify who the most at risk people are within your organizations, with platforms like Proofpoint offering a huge amount of data into who is being targeted.
You can read our guide to the Top 11 Secure Email Gateway solutions here.
A final step to take is to invest in security awareness training for your at-risk employees. These platforms train users on what phishing attacks and social engineering attempts look like, so they are less likely to be fooled by them.
Security awareness training solutions are sometimes integrated into email security solutions, giving organizations an all-in-one platform to protect their most targeted users.
Cyber-attacks targeting people within your organization on the rise. It’s crucial that you know who within your organization is being targeted – and put measures in place to protect them – before you’re hit with a major data breach or financial attack.