Elevate Security published their inaugural report on the effects of human error on organization security. The Berkeley, CA-based company found that lack of human risk management is the leading cause of cybersecurity incidents across all organizations.
Cybersecurity training for employees may not necessarily restrict security incidents at organizations and may have the opposite of the desired effect on employees, as per a novel study by Elevate SecurityOpens a new window . The new study, conducted in tandem with Virginia-based cybersecurity promoter and research services firm Cyentia InstituteOpens a new window revealed that as users complete more cybersecurity training, they tend to click more phishing links, not less, and that a zero click-rate on phishing links is nearly impossible to achieve.
The company also discovered through the Human Attack Service Management report that even as security training minimizes phishing click rates by users under simulation, its effects at an organizational level or in real-world attacks remains questionable at best.
The report delves into how organizational security is as good as the level of human risk involved. Human risk factors are a key reason behind 88% of the total losses in cybersecurity incidents of the last five years amounting to $15 billion. And threat actors know this, which is why phishing, which involves a great deal of social engineering, remains one of the most popular attack vectors today.
According to Webroot, three out of ten workers worldwide clicked a phishing link in 2020, an unusually high number. The reason? It may have something to do with the expectations of a reward based on past behavior.
One of the global surveys conducted last year around phishing attacks, informs, â€œPeople aren’t great at handling uncertainty. Even those of us who know we shouldn’t click on emails from unknown senders may feel uncertain and click anyway. That’s because we’ve likely all clicked these kinds of emails in the past and gotten a positive reward. The probability of long-term risk vs. short-term reward, coupled with uncertainty, is a recipe for poor decision-making, or, in this case, clicking what you shouldn’t.â€
And, here the findings from Elevate Security’s report are quite eye-opening.
Webroot concluded that more training saves people from falling prey to phishing. Philipp Karcher, principal product manager at Carbonite + Webroot, both OpenText Companies, said, â€œIf you want people to make lasting changes to their behavior, you have to run consistent, relevant training courses and phishing simulations that are also varied enough that people won’t get bored or find them predictable.â€
â€œRunning a second simulation makes a dramatic impact â€” and it only gets better from there,â€ Karcher added. Can it, though?
Findings From the Report
Data shows that simulations do help, but only to a certain extent.
The graph depicts the correlation between the number of simulated phishing emails clicked and the number of emails sent. It is clear that as more phishing simulation emails are sent, there is a consistent fall in the number of emails being clicked. However, the regression curve flattens slightly toward the end as the simulated phishing email frequency increases, indicating that the curve can never practically hit zero.
Masha SedovaOpens a new window , co-founder and chief product officer of Elevate Security, said, â€œWith nearly two-thirds of data breaches tied to human risk, we sought to truly understand the root cause â€“ human error, which has long been considered one of cybersecurity’s longest unsolved problems.â€
â€œThe data found conclusively that traditional security awareness training and mock phishing exercises have little effect on protecting the organization. These one-size-fits-all programs fulfill compliance and audit purposes but aren’t doing a good job at actually reducing risk,â€ she added.
The practical implications of cybersecurity training remains largely unchanging, as seen in the graph below.
So there always will be a small subsection of employees that will inadvertently jeopardize the security fabric of an organization. This means human risk is a significant, if not the most prevalent factor in an organization’s security. One thing to be noted is that an organization’s size plays a big role in understanding the maturity of its security posture. Larger the organization, lesser its chance of being compromised due to human attack surface.
According to Elevate, the human attack surface is the sum total of people’s actions, access, and security controls that impact an organization’s risk. A weak human attack surface is essentially due to the internal weaknesses that exist within the organizational security posture due to an employee. Internal actors are the reason behind 30% breaches, according to Verizon’s 2020 Data Breach Investigations ReportOpens a new window .
Besides phishing, malware-based attacks are another nuisance that threaten security hygiene or organizations. 6.6% of users, 30.8% of departments, and 100% of organizations download and/or execute malware.
Sedova, a former senior director for trust engagement at Salesforce, co-founded Elevate Security in 2017 alongwith the company’s current CEO Robert FlyOpens a new window with a mission to help organizations understand risks from human errors and harden their security posture.
Who Is More Likely To Fall Prey?
The lower an employee sits in the organizational food chain, the higher their chances of being infected with malware. In fact, malware infections are 10x more likely to occur among users at the bottom of the organizational chart than those serving as C-Suite executives. The same trend is observed for phishing.
Elevate Security and Cyentia Institute’s report does not take into consideration the impact of human errors on part of security teams. IBM’s Cost of Data Breach Report 2020Opens a new window revealed that the cost of data breaches due to human error stands at $3.33 million.
Humans make (security) mistakes. It’s inevitable. We can’t keep trying to train people out of it. If we do, ransomware, account takeover, & data loss will continue to run rampant.
It’s time for a new way of defending the Human Attack Surface.
â€” Masha Sedova (@modMasha) May 10, 2021Opens a new window
According to Accurics, one in four cloud violations were also found to be a direct result of poor cloud configurations. Misconfigurations in the cloud also resulted in the exposure of approximately 33.4 billion data records in 2018 and 2019, costing organizations approximately $5 trillion, DivvyCloud by Rapid7 foundOpens a new window .
Cybersecurity expenditure is expected to hit $211 billion by 2024Opens a new window , but none of it matters if the internal human risk factor isn’t eliminated. And to minimize the human attack surface, there needs to be harmony amongst employees and the tools they use.
For example, Elevate Security’s report clearly delineates that those using a password are less prone to malware attacks. As such, the adoption of security tools such as password managers and multi-factor authentication (MFA) can certainly help.
Having held that, there’s a difference between minimizing threats and eliminating them altogether, what can organizations actually do? Well, identifying the human attack surface, gaining visibility in it, and categorizing it according to risks is a start. Further, they can do away with the one-size-fits-all approach and adopt dynamic and adaptive security controls based on individual end user security assessments.
Note: The Human Attack Service Management report is based on 4.5m unique user actions taken between early 2018 to 2020, by 114k users spread across more than 2,000 organizational departments, which was aggregated in Elevate Security’s data platform.