.png){kind=small}
Have you heard the call ? - The champion in each of us.
Devoid of filter, Jaan Kitsuk's eye-opening talk on human error heralds a necessary wake-up call to all cybersecurity professionals and any of us who use the internet (and in 2022, who doesn’t?).
Through an exploration of the dark world of Ransomware-as-a-Service (RaaS), the industrialization of cybercrime, and the evolution of social engineering, Kitsuk calls on us to become the next generation of champions in the war on cybercrime. Inspired by his talk, I'll highlight some of the factors that are reshaping the modern cyber threat landscape and the actions we must each take to transform human vulnerability into human cyber defence.
FBI IC3 Report - 475% Increase in Cyber Crime
Given the current situation, we must urgently reconsider the most common approaches to securing businesses from malicious actors. A glance through the FBI IC3 report for 2021 makes us painfully aware of the monetary losses cybercrime causes each year. The yearly total damages have increased 475% between 2016 and 2021, reaching 6.9 billion USD, and predictions for the future show a continuation of this rising trend.
Social Engineering and RaaS
Research indicates that social engineering is one of the leading attack vectors malicious actors employ in the average breach attempt. Even more concerning is the revelation that the latest generation of hackers no longer needs to know how to write a single line of code to carry out sophisticated attacks. Cybercriminals are creating full-scale organizations and offering their services in the form of RaaS packages, set up in the familiar Software-as-a-Service (SaaS) format.
The following leaked quote reveals to us the popular thinking amongst cybercriminals today:
“We can’t win the technology war because on this ground we compete with billion-dollar companies, but we can win the human factor.” - a member of the Russia-based group responsible for the Conti ransomware attacks, via Telegram. (Source)
The introduction of RaaS breaks the barrier to entry, allowing script-kiddies, opportunists willing to pay, and deeply malicious actors to carry out millions of breach attacks daily. The hacker economy thrives on the use of both RaaS and social engineering, so while most businesses are diligent with their technical solutions, hackers continue to rake in stolen dollars by feeding on companies’ most vulnerable resource: the human factor. It is crucial to remember that "the human factor" is not limited to employees, but also includes contractors and anyone with network access (including yourself).
A study of the rapid industrialization and restructuring of the hacker value chain reveals that phases are distributed amongst various specialist threat groups. Malicious actors partner up to combine their expertise, monetizing their ability to distribute via RaaS packages and perpetuating the hacker economy by purchasing from partners beyond their speciality.
As hackers become increasingly proficient in isolating and personally targeting individuals -- organizations and the leaders responsible for a company's cybersecurity program can often find themselves overwhelmed when searching for an effective solution to their human error vulnerabilities.
Protecting your organization from social engineering
Jaan, the CPO and co-founder of CYBR , explains that we must protect our organizations and businesses from these super-charged, targeted attacks. The one-size-fits-all, generic approach to awareness training and attack simulations is outdated, and we must take action to remedy this immediately. CYBR offers the ultimate solution with the combination of Teach AI and Breach AI.
"For us to defeat the hackers, we must think like the hackers and get ahead of them" - Jaan Kitsuk
CYBR's approach is laser-focused on discovering, diagnosing and treating your employees’ individual vulnerabilities. Breach AI carries out sophisticated attack simulations that are uniquely crafted for each employee. Teach AI delivers bite-sized, gamified and engaging training. The results are risk mitigation, measurable changes in security habits and an improved security culture throughout your organization.
Security Culture and Awareness Training
Fostering a strong security culture empowers your organization and employees in the face of cyber threats. A security awareness program, is unlikely to reach its full potential and reap benefits in organizations with a weak or non-existent security culture. Picture this scenario: Let's say that your employees know what phishing emails look like due to an awareness campaign. That's a great first step, however, security culture does not end there. What happens if someone with network access accidentally clicks on a malicious link in an email?
Weak Security Culture
In an organization that lacks in security culture, the employee will likely neglect to report the error due to feelings of shame and embarrassment. This could allow the threat actor deeper access to your organization's private data or worse.
Strong Security Culture
Looking at the same scenario in a company with a strong security culture, instead of feeling fear and hiding their mistake of clicking on a malicious link, the employee is confident about reporting the error immediately, which allows the incident to be isolated and handled more effectively.
Establishing a strong Security Culture throughout your organization propels the effectiveness of your security awareness program forward. You want those with network access to be immediate responders and reliable threat detectors.
Transforming human error into human cyber defence
The following steps are a great way to begin transforming your employees' human vulnerabilities into a human cyber defence force:
1. Update yourself on the current cyber threat landscape
Stay up to date on security issues and changes within the cyber threat landscape. Doing this will increase your and your employees’ awareness, ensuring you are better prepared for most current threats.
2. Security Culture is non-negotiable
Security Culture must become a part of your work environment. The "once a year" awareness campaign approach is outdated and ineffective when it comes to measurable changes in employee behaviours and habits. In 2022, a cyber awareness programme is a must-have part of any security strategy.
3. Continuous Awareness Training
Allow your employees to maximize their successes and learn from their failures with consistent training and the delivery of personalized attack simulations. For a clearer perspective of your organization's risk score, try sorting your employees by risk level.
Discover more on the future of phishing, and explore some of the reasons why you should never reuse the same password.