Cyber Signals: Shifting tactics fuel surge in business email compromise
Business email operators seek to exploit the daily sea of email traffic to lure victims into providing financial and other sensitive business information.
Why should you care about the behavioral risk of your employees?
Eighty-two percent of breaches include (and often start with) user behavior.1 Not all are phishing, but a majority of them are just that. Phishing is, and has been for many years, the cheapest and most reliable way for an attacker of any motivation (nation-state actors down to simple script-kiddie scammers) to establish a toehold in an organization. Social engineering and phishing are used for initial breach tactics, lateral movement, and elevation of privilege, and, in many cases, they directly lead to data exfiltration.
Worse, breaches cost companies a lot of time and money. Several security research companies have determined that the average data breach costs a company about USD4 million per incident.2 Averting even a handful of breach events in any given year can save you millions of dollars and thousands of hours of valuable security operators’ time.
So, how does behavior play into this? Doesn’t my company spend a bunch of money every year on technical solutions to prevent those phishing attacks from making it through? Don’t we have detection and response capabilities that find and fix those breaches quickly? Any organization that cares about its data certainly should invest in exactly those capabilities, but the strategy is incomplete for a few reasons:
With that in mind, in partnership with Microsoft, Terranova created the Gone Phishing Tournament, an online phishing initiative that uses real-world simulations to establish accurate phishing clickthrough rates and additional benchmarking statistics for user behaviors. With this opportunity, you will be able to drive effective behavior change and build a strong security-aware organizational culture with free, in-depth phishing simulation benchmarking data.
Given this context, why should an organization care about user behavior? One reason is that even small changes in behavior can result in significant reductions in risk and every breach you avoid saves you literal millions of dollars. Admittedly, behavior change is hard. The security awareness business has been working to help educate users for decades now, and the human behavior risk portion of the overall risk pie remains large. We think the capabilities that modern solutions are bringing to bear are the beginning of a major shift in the industry. Some key capabilities to consider:
Every major organization on earth is in the same boat. User behavior risk is high, difficult to change, and exploited every day by attackers. Take the time to learn from each other. Participate in conferences. Make connections with people at other companies that are doing the same role. Engage with the solutions that you leverage and give those product teams feedback about what is and is not working.
Knowledge is power when it comes to being cybersmart, and there are many ways to prepare yourself and your organization to be safer online and fight cyber threats. October will be Cybersecurity Awareness Month, and you will be able to take advantage of Microsoft’s expertise with several resources that will be made available by Microsoft Security.
Stay tuned for Microsoft’s best practices on Cybersecurity Awareness Month and don’t forget to register for Terranova Security Gone Phishing Tournament. Let’s #BeCyberSmart together!
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
12022 Data Breach Investigations Report, Verizon. 2022.
2How Much Does a Data Breach Cost?, Embroker. September 2, 2022.