October marks National Cybersecurity Awareness Month. It’s a time for individuals and organizations to evaluate their role in preventing cybersecurity incidents nationwide. This year’s theme from the Cybersecurity & Infrastructure Security Agency (CISA) is “do your part.” The theme encourages individuals to take personal accountability for cybersecurity and urges businesses to adopt proactive measures to prevent successful attacks.
We connected with Masha Sedova, co-founder of Elevate Security, to learn more about cybersecurity trends and steps businesses can take to reduce cyber risks. (You may recognize Elevate Security’s name from our 2020 Future of Real Estate Summit.)
Elevate Security was a contributor to this year’s Verizon 2020 Data Breach Investigations Report. The annual report provides details on cybersecurity threats and how attacks are evolving over time. Sedova provided insights from the report and actionable recommendations based on her analysis of the data.
Qualia: What has stayed the same since the 2019 Verizon report?
Sedova: Attackers are still leaning into the approaches that require the least amount of effort and yield the greatest results. This includes phishing and using stolen credentials. While breaches caused by phishing (22%) or stolen credentials (37%) are down slightly from 2019 (at 22%) it is notable 80% of breaches were caused by hacking that involved brute force or the use of lost or stolen credentials.
Qualia: What trend is growing since the 2019 Verizon cybersecurity report?
Sedova: The Verizon report uses 7 categories of threat actions: malware, hacking, social, misuse, physical, error, and environmental. Errors are the only action type that continues to increase in frequency from year to year. An error indicates that people within an organization are making mistakes that open up the business to outside threats. Human errors were “causal events in 22% of breaches” last year.
Some of the most notable human risk stats found on page 7 of the Verizon report include:
- 22% included social attacks
- 17% involved malware
- 8% of breaches were misuse by authorized users
Another threat that is increasing each year is the use of financially-motivated social engineering (FMSE). This form of attack continues to climb year-over-year. The report indicates that in prior years, the attackers would impersonate CEOs or other executives to request employee data such as W-2 forms. Recently, attackers have changed their tactics to ask employees for cash directly.
Qualia: Knowing that human error is opening up businesses to cybersecurity threats, how can businesses take steps to reduce this?
Sedova: This quote from the report aligns with our sentiments at Elevate Security: “In the past, we have observed that security awareness training can help limit the frequency and/or impact of phishing attacks. However, in some instances, this training appears to be either not carried out at all or delivered in an insufficient or inadequate manner. Whatever the reason, telling employees not to click phishing emails can be as effective as yelling ‘ear muffs’ when you don’t want your child to hear something unpleasant.”
So what does this mean? It’s time for the industry to take a new approach towards solving top cybersecurity risks. It is not what people know, it is what they do, that poses risk to an organization. By focusing on what people do rather than what they know, you can measurably reduce your risk. Using security tooling and data logs you can better understand how individual employees are performing and what security decisions they are making that puts an organization at risk.
Here are the top five actions to improve in your organization if you want to decrease human risk (in no particular order):
- Increase phishing reporting
- Drive adoption of strong authentication
- Increase malware detection rates
- Install and use password managers
- Decrease sensitive data handling incidents
For more insights from Elevate Security, click below to read a recap of our conversation with Elevate Security founder, Robert Fly, at the Future of Real Estate Summit.