Why should you care about the behavioral risk of your employees?
Eighty-two percent of breaches include (and often start with) user behavior.1 Not all are phishing, but a majority of them are just that. Phishing is, and has been for many years, the cheapest and most reliable way for an attacker of any motivation (nation-state actors down to simple script-kiddie scammers) to establish a toehold in an organization. Social engineering and phishing are used for initial breach tactics, lateral movement, and elevation of privilege, and, in many cases, they directly lead to data exfiltration.
Worse, breaches cost companies a lot of time and money. Several security research companies have determined that the average data breach costs a company about USD4 million per incident.2 Averting even a handful of breach events in any given year can save you millions of dollars and thousands of hours of valuable security operators’ time.
So, how does behavior play into this? Doesn’t my company spend a bunch of money every year on technical solutions to prevent those phishing attacks from making it through? Don’t we have detection and response capabilities that find and fix those breaches quickly? Any organization that cares about its data certainly should invest in exactly those capabilities, but the strategy is incomplete for a few reasons:
- Technical solutions never have and likely never will provide perfect protection. Humans are capable of incredibly creative and intuitive thinking. Attackers with even a passing understanding of how protective solutions work can easily find gaps and workarounds. Decades of breaches have shown us that any determined attacker will find a way in. Assume breach principles hold that organizations should assume that their ecosystems are breached, that they should not automatically trust their existing protection boundaries, and that they should invest in detection and response mechanisms in equal measure to prevention. This, Microsoft believes, is the most effective approach to mitigating organizational risk.
- Humans are the most valuable part of any organization’s mission. They make all the data. They derive all the most valuable insights. They integrate and maintain all the complicated systems that make up any modern enterprise. An attacker can go after systems to get to data, but the inherent fallibility of humans provides a much more malleable target. You can’t insulate the people in your organization from that risk because they are almost always the ones responsible for creating the asset in the first place. Attackers know that and almost always incorporate social engineering into their plans.
- Human behavior, especially as it relates to risk, is an incredibly complicated and nuanced process. It is probabilistic in nature, and attackers know that. Factors include the context in which the behavioral choice is made, the knowledge of the human, the attitudes and motivations of the person, externalities such as time pressures and adjacent choices, and the past experience of the human. Any of those factors can change day-to-day, and so a phishing attack that a user correctly identifies and avoids might not work today but would fail to detect in some other context.
With that in mind, in partnership with Microsoft, Terranova created the Gone Phishing Tournament, an online phishing initiative that uses real-world simulations to establish accurate phishing clickthrough rates and additional benchmarking statistics for user behaviors. With this opportunity, you will be able to drive effective behavior change and build a strong security-aware organizational culture with free, in-depth phishing simulation benchmarking data.
Given this context, why should an organization care about user behavior? One reason is that even small changes in behavior can result in significant reductions in risk and every breach you avoid saves you literal millions of dollars. Admittedly, behavior change is hard. The security awareness business has been working to help educate users for decades now, and the human behavior risk portion of the overall risk pie remains large. We think the capabilities that modern solutions are bringing to bear are the beginning of a major shift in the industry. Some key capabilities to consider:
- You must measure something to move it. Phish susceptibility assessment is a core part of any security awareness program, and we think authentic simulation is the best way to measure real-world phishing risk behavior.
- Teaching is more than just telling. One of the reasons why effective security awareness programs focus so much on simulation is because it gives users the experience of an attack (safely). Doing something hands-on and experiencing it directly sticks in human brains much more effectively than just seeing or hearing a description of it.
- Life in organizations already includes a lot of formal learning, so you must find new, differentiated, and contextual ways to engage your people in learning experiences. Games, nudges, and social rewards systems educate without lecturing and bring an element of fun that helps the important messages stick.
- Everybody is at a different place in their journey. Look for solutions that allow you to differentiate learning based on what the user already knows, or what you think is going to be especially problematic for them.
- Security Awareness training has evolved most commonly to be a twice-yearly simulation with a five- to seven-minute video. This formula is usually manageable by organizations to execute, but it rarely produces desired results. Look for solutions that give you the ability to vary the frequency, targeting variations, payload variability, and training experiences. Some of your people might just need reminders twice a year, but many will need more frequent experiences to maintain behavioral alignment.
Every major organization on earth is in the same boat. User behavior risk is high, difficult to change, and exploited every day by attackers. Take the time to learn from each other. Participate in conferences. Make connections with people at other companies that are doing the same role. Engage with the solutions that you leverage and give those product teams feedback about what is and is not working.
Knowledge is power when it comes to being cybersmart, and there are many ways to prepare yourself and your organization to be safer online and fight cyber threats. October will be Cybersecurity Awareness Month, and you will be able to take advantage of Microsoft’s expertise with several resources that will be made available by Microsoft Security.
Stay tuned for Microsoft’s best practices on Cybersecurity Awareness Month and don’t forget to register for Terranova Security Gone Phishing Tournament. Let’s #BeCyberSmart together!
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
12022 Data Breach Investigations Report, Verizon. 2022.
2How Much Does a Data Breach Cost?, Embroker. September 2, 2022.