Engineering the human: The 2023 cyber threat
Human-targeted attacks are becoming increasingly virulent in 2023, and this demands that companies and individuals re-evaluate their vigilance, says Wayne Olsen, BCX Managing Executive Cybersecurity.
The number of zeroes at the end of 175 zettabytes, 21 zeroes to be exact, demonstrates the vast amount of data humanity will have generated by 2025, with a compound annual growth rate of 61%. Unfortunately, the weakest link in security is the human factor, leading to the prevalence of social engineering attacks. According to the Verizon Data Breach Investigation Report, 82% of breaches involve the human factor, while KnowBe4 suggests that 70%-90% of breaches result from social engineering. Additionally, Barracuda research reveals that the average company experiences over 700 social engineering attacks each year.
These statistics only scratch the surface of the problem. The challenge lies in navigating the increasing wave of social threats to protect both organisations and individuals. Cyber criminals continually evolve and enhance their tactics, further complicated by the emergence of artificial intelligence (AI) and automation in cyber crime. These technologies not only empower organisations in terms of security, but also enable cyber criminals to improve their own methods. AI allows cyber criminals to automate various stages of an attack, including reconnaissance, target selection, vulnerability scanning and exploitation. AI-powered tools can quickly identify potential targets, assess their weaknesses and launch attacks at scale, increasing the efficiency and speed of their operations.
In 2023, AI has demonstrated impressive language communication abilities. Scammers' e-mails are no longer riddled with errors, and social engineering attacks have become less obvious due to these advanced tools. Attackers can now scale their efforts, targeting larger groups while employing new social engineering techniques. Aware of individuals' growing awareness, attackers utilise more sophisticated methods and create compromising situations that attract unsuspecting users.
Identifying and defending against such attacks will only become more challenging for individuals, especially with the rise of hybrid and remote working, which increases the frequency of targeting remote workers and the supply chain. Moreover, the increased adoption of internet of things (IOT) devices adds to the complexity.
Reliance on digital devices and online services for work and personal activities has significantly expanded the attack surface for cyber criminals. Many individuals and organisations have embraced cloud-based services, which, if not properly secured, will introduce new security risks. Moreover, people themselves are a significant vulnerability due to now operating outside of the traditional borders of the corporate network.
People are susceptible to social engineering tactics due to a lack of awareness and understanding of cyber security best practices. They often fail to follow security protocols, use weak passwords, remain uninformed about the latest threats and lack access to training and insights for effective security management. In this environment, it is crucial for both companies and individuals to become more aware of the risks. Companies must prioritise training, awareness programmes and testing, while individuals should educate themselves about the risks and the potential long-term consequences of a simple mistake.
Every individual in every organisation should be familiar with cyber security best practices, such as creating strong and unique passwords, avoiding password re-use, regularly backing up data and the major fatal error most make, don’t click on links from unknown e-mails. Companies need to ensure their systems and software are always up to date, including patching, having tooling to identify zero-day threats and vulnerabilities. They should also collaborate with reliable security vendors who can provide real-time data and telemetry about who and what is connected to their network or application, and how these are being used.
These initial steps lay the foundation for a robust human risk management (HRM) programme and a security-first culture within the business. HRM programmes effectively mitigate the risks associated with human error by providing regular security awareness training, establishing clear security policies and procedures, and integrating security into performance evaluations. When combined with top-down leadership and a commitment to continuously improving security practices, this fosters a culture of security and reinforces the importance of individual behaviours.
Looking ahead, companies must prioritise these security habits and best practices to proactively address threats and minimise risks. While no security system is flawless and mistakes can happen, this approach and a trusted security service provider ensure preparedness even in the face of worst-case scenarios.