By Perry Carpenter, Chief Human Risk Management Strategist, KnowBe4
Threat actors and hacktivists are relentless, persistent, and ever-present. It seems that no matter how much time and effort organizations and their IT leaders put into thwarting adversaries, they keep coming back for more. Why? Understanding the why can help companies improve their ability to implement protections—both technology- and people-driven. No, we’ll never be entirely free from cyber threats, but we can be more effective at minimizing the risks.
Drivers of Deception
Financial gain and manipulating people through coercive practices are the top drivers of deception. Of course money is typically the most common motivator. Threat actors hope to trick people (and employees) into divulging sensitive information or to gain access to company data and systems. They do this through a variety of techniques and combinations, including phishing, pretexting, and business email compromise (BEC) scams. These efforts are designed to deceive people into transferring company funds or revealing personal information or credentials. To summarize these common threats:
- Phishing involves sending emails or messages that, while they appear to come from a legitimate source, are actually designed to trick recipients into clicking a malicious link, downloading malware, or betraying sensitive information like passwords or credit card details.
- Pretexting involves creating a fictional scenario designed to gain the trust of targets in an effort to access sensitive information. For example, pretending to be an IT employee who calls with an urgent message: “We’ve detected a serious security breach on your computer and need to verify your login credentials to make sure your account hasn’t been compromised.”
- BEC scams impersonate high-level executives like CFOS or other authority figures to trick employees into transferring funds or sharing sensitive information.
But financial gain isn’t all bad actors are hoping for. Many are also driven by a desire to influence behavior. Their efforts are generally achieved through techniques like social engineering, disinformation campaigns, and coercive manipulation. It’s fair to say that we have all been exposed to and potentially influenced by such tactics.
- Social engineering involves manipulating people into sharing confidential information or taking certain actions that lead to system or security impacts.
- Disinformation campaigns are used to spread false information to influence public opinion, sow confusion or undermine authority.
- Coercive manipulation involves the use of techniques like gaslighting or pressing emotional buttons (fear, greed, love) to drive desired actions. For example, an attacker impersonates a senior executive using a realistic voice clone, urgently instructing an employee to immediately authorize a financial transfer or confidential data release.
The key takeaway: hackers are clever, flexible, and adept at using their understanding of human behavior and motivations for monetary gain or influence. The key question for organizations is what can, or should they be doing about it?
Outsmarting the Tricksters
Standard tech protections such as firewalls, endpoint protection, threat detection and response, etc., can provide part of the solution for combating cyber threats. But organizations must also enlist the help of their employees. Unfortunately, people also bring their share of vulnerabilities as a result of hasty decision-making, phishing susceptibility, and everyday human error and misjudgment. When dealing with human-centric vulnerabilities, companies can do a number of things:
- Set clear policies and processes that outline employees’ roles in helping to protect company data and systems. Bonus points if procedures are documented by easy-to-understand language and not IT jargon.
- Educate employees about the risks and drivers behind deceptive social engineering practice and common phishing and deepfake techniques used by threat actors.
- Provide regular security awareness training to educate users and practice skills. Once-per-year training won’t cut it. You need to train employees as often as your corporate culture will allow (at least quarterly), and not always in the same format. Consider using variety, repetition, and gamification to boost participation.
- Conduct phishing simulation exercises to give employees direct experience with sophisticated phishing tactics. Offer training to improve their skills at detecting and avoiding such threats. Create a cybersecurity culture where it’s okay to share experiences both good and bad—especially impactful if executives can share examples of when they’ve fallen prey to a phishing attempt.
The more you can do to foster a healthy security culture supported by ongoing and transparent communication and education, the less likely the odds that adversaries will achieve their goals.
The good news is that these efforts, when used consistently and appropriately, can help minimize the risk and impact of cyberattacks. Establishing and sustaining a security culture isn’t an act, it’s a process. Being consistently aware and always vigilant of new threats can help organizations keep their business and employees safe.
Perry Carpenter is Chief Human Risk Management Strategist at KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management with over 70,000 customers and more than 60 million users. His latest book, “FAIK: A Practical Guide to Living in a World of Deepfakes, Disinformation, and AI-Generated Deceptions” [Wiley: Oct 2024], explores AI’s role in deception. With over two decades in cybersecurity focusing on how cybercriminals exploit human behavior, Perry hosts the award-winning podcasts 8th Layer Insights and Digital Folklore.