The ‘biological interface’ is the weakest link in cybersecurity

As cybersecurity methods have evolved over the years, so has the complexity of the protection methods that most businesses have to deploy. Perimeter protections now combine with plenty of LAN-based monitors and alert systems, but still many attacks are successful. Why is that?

Over 90 percent of all attacks on enterprise networks are spear phishing attacks – that is, phishing emails which are directed at specific people or personnel. In cybersecurity, a new piece of terminology is being coined: whaling, or whale-phishing. That’s the targeting of high-end individuals, such as board members or high-ranking executives. Big fish = whale (logical, albeit zoologically incorrect).

For security teams, concentrating on protecting C-Suite executives is an error. Smart cybercriminals know the people that are the best targets might be Finance Department juniors, IT Helpdesk interns, or temporary staff. In short, just about anyone is capable of clicking a rogue link, and anyone who hasn’t been taken in, even momentarily, by a good phishing email is probably a liar – this author included.

The most dangerous trend in cybersecurity at the moment is manipulation of people. And just about anyone in the enterprise is a legitimate target.

Criminals find it easier to target people rather than flaws in software or networked systems. Rather than having to develop highly-complex code to attack or circumvent protection systems, people are merely the softer target by which bad actors can install malware, steal credentials, exfiltrate confidential information, or transfer funds.

In the same way that the relative position of a member of staff in an organization is irrelevant, so too is the size of the company. Businesses of all sizes experience the same per capita attack frequencies.

Unlike cybersecurity teams, hackers aren’t thinking in terms of networks. SOCs (security operations centers) tend to concentrate on perimeter defense and east-west traffic monitoring. Attackers, conversely, do not target one organization, or one network. Their aim is maximizing their revenues, and this is achieved by multiple attacks on many thousands of recipients, regardless of where they work.

Email continues to be the top attack vector of choice for bad actors, and fraud attacks are growing in number and sophistication. If you’re in cybersecurity, protecting your people, as well as your network, should be a matter of prime concern.

Protection, therefore, needs to start with your people. While attacks do continue to attack infrastructure, people are the weak link in the cybersecurity chain. Human nature (and a human failing like suffering from work overload) is understandable.

Who hasn’t opened the wrong email when distracted? People click the wrong things – and can be encouraged to do so, given the right cues. A disproportionately high volume of phishing attempts is associated with Dropbox file sharing, for example. Any standard application’s emails can be replicated easily, and it often only takes one click for a whole network, potentially, to be compromised.

Prevent, protect and educate – with threat actors targeting people, not infrastructure, you need a cybersecurity solution who can help all staff, not just the VIPs in the boardroom.

Protect your small fry just as much as your whales.