decrypting myths
How can organisations build a reliable security culture that drives behavioural change ?
People risk is an increasing concern . According to Proofpoint ’ s 2023 Voice of the CISO report , there is an increase in the number of UK CISOs who view human error as their organisation ’ s biggest cyber vulnerability – 78 % in this year ’ s survey vs . 65 % in 2022 . start with an email that includes an attachment or a link that downloads a malicious file . Cybercriminals want to get inside your organisation to collect data and understand the infrastructure before they launch their ransomware attacks – and they can do this by simply targeting your employees .
Another example is Business Email Compromise ( BEC ) attacks , which include phishing , email fraud and social engineering tactics . Cybercriminals are spoofing identities of trusted individuals and suppliers . They are sending simple emails without malicious links and focusing on social engineering to trick your people into wiring money or sending sensitive data . In fact , 86 % of UK organisations reported an attempted BEC attack last year .
With email remaining the number one threat vector to organisations today , what can CISOs do to mitigate this risk ?
Criminals are continually targeting humans to expose confidential data , compromise networks and even wire money – and email remains their vector of choice . Protecting against threats
targeting employees ’ inboxes requires a combination of people , process and technology .
The first critical step is to try to remove guesswork from employees and minimise the opportunity for mistakes . It ’ s imperative that all organisations place a priority on securing inboxes with advanced filtering and threat detection . Through a technical combination of email gateway rules , advanced threat analysis , email authentication and visibility into cloud applications , we can block the majority of targeted attacks before they reach employees .
But we can ’ t rely solely on technical controls because as we ’ ve seen , this is a people problem .
Security teams must adopt a peoplecentric approach , i . e . putting their people at the centre of their security operation . Similar to how they are already in the centre of the cybercriminal ’ s activity . Employees should undergo regular and comprehensive cybersecurity awareness training that enables them to identify malicious emails and flag them to their security teams .
To educate their users , and with the best intentions , many organisations provide one or two hours of security awareness training annually . But this limited approach lacks staying power . It doesn ’ t promote lasting changes in behaviour . And it doesn ’ t instil the kind of security mindset that can transform your biggest attack surface into a critical layer of defence .
When an organisation has a sustainable security culture , employees feel that they and their co-workers are responsible for acting to prevent security incidents . They understand why cybersecurity is important . And importantly , they feel empowered to act – and comfortable reaching out to the security team when they see something suspicious or make a misstep . u
Adenike Cosgrove , VP , Cybersecurity Strategy , EMEA at Proofpoint www . intelligentciso . com
69