• Home
  • /
  • Access Control
  • /
  • How identifying your ‘very attacked people’ can bolster your cyber security strategy

How identifying your ‘very attacked people’ can bolster your cyber security strategy

By Adenike Cosgrove, Cybersecurity Strategist, International at Proofpoint

Johannesburg, 01 Jan 2021
Read time 5min 20sec

A strong cyber security posture is multifaceted. As new threats are born and others evolve, companies must keep adding to their arsenal to ensure their defences are up to the task. However, there is one line of defence that is still often overlooked: people.

The cyber security knowledge and understanding of the employees in an organisation is just as important as any policy or control that is put in place. The end-user is often the first point of attack. The more they understand about how their behaviour can affect the security of the business, the stronger an organisation’s cyber security posture.

While all employees can fall victim to external attacks on an organisation – some are more attractive targets than others. Just as people are unique, so is their value to cyber attackers and risk to your organisation. They have distinct digital habits and weak spots. They’re targeted by attackers in diverse way and with varying intensity. And they have unique professional contacts and privileged access to data on the network and in the cloud.

These more targeted employees are referred to by Proofpoint as 'very attacked people' (VAPs). And these VAPs aren’t always the people you expect. That’s because today’s attacks target users in countless ways, across new digital channels, with objectives that aren’t always obvious.

Identifying your VAPs

Do you know who your VAPs are and how they are being attacked? If you don’t, you should. Gaining these insights can go a long way towards reducing your exposure to targeted threats.

Adversaries are taking a finely honed, highly strategic approach to targeting your people. Sophisticated attackers diligently do their research and often have access to org charts and know how a business works better than the security team does. Today’s cyber criminals are much less interested in casting a wide net through scattershot spam or phishing campaigns in hopes of getting someone to download a PDF that contains malware or to click on a malicious URL.

So how can you determine a risky user and what can you do about it?

There are two parts to identifying a VAP:

  • Using mathematical concepts, Proofpoint looks at every threat and assigns it a score from 1 to 1 000 based on the spread of the attack, the type of payload and whether an actor can be associated with it.
  • User data points are then added into the equation. These include URLs that users have clicked on over time, which users tend to do this frequently, how well users perform on phishing simulations and checking API connections to Microsoft Office 365 to see who may be coming from suspicious networks. Even device health, like browser patch levels, can provide valuable insights.
  • Examine this anti-phishing training data to reveal the most vulnerable users, and use those metrics to quiet the perfect storm that’s brewing: the overlap between these two populations. The opportunity to deliver the right training to the right people at the right time should not be squandered.

When you put all of this together, you have a good sense of who is getting targeted and who is going to fall for the tactics and techniques of bad actors. All this number crunching gives you an advantage over attackers. You can use this intelligence to prioritise your efforts because attackers are prioritising theirs.

Previous Proofpoint research has also uncovered that VAPs are actually rarely what an organisation would consider as its VIPs (senior execs, etc), but more likely to be part of the HR, PR, marketing or research teams.

Creating a security-conscious culture

Once you’ve identified your most targeted employees, closing security knowledge gaps is crucial. That said, it is critical to ensure that each and every employee within the organisation is aware of the role they play in practising good security hygiene.

Spotting gaps in user knowledge is one thing. Closing them is another. There is no quick fix. To increase user understanding of complex topics and bring about a change in behaviour, the only effective plan of action is comprehensive, ongoing training, that keeps pace with the cyber threats organisations are facing.

This training should include regular assessments, education, reinforcement activities and measurement of understanding.

Companies that fail to create a culture of cyber awareness and responsibility will always be the most vulnerable to attack. The human factor needs to be a key pillar of a company’s cyber security defences.

To shore up the line of defence that is usually overlooked – people – organisations should consider taking the following actions:

  • Deliver comprehensive and continuous cyber security training to all employees, at all levels. This means not only training and refreshing end users on how to spot a phishing attack, but what to do when they occur and also eradicating any behaviour that can impact the security of your business.
  • Ensure employees are educated in cyber security best practices, for example, practising good password hygiene. Not all security incidents stem from an outside attack and teaching employees on how to keep sensitive data secure is vital.
  • Treat traditional phishing attacks with the importance they deserve. Ensure that your users know how to spot them and what to do if and when they occur. But know that to stand a greater chance of preventing such attacks, your security training must extend far beyond this.
  • Educating employees on the “why” as well as the “what”. Not just what a threat looks like but how it works, the motivation behind it and the ways that their behaviour can increase its success rate. That’s true not just of phishing, but of every security challenge faced by end-users.

When awareness and understanding increases, behaviour changes. And that might just be the difference between a successful attempt and a successful attack.

See also