Maintaining a robust cybersecurity posture is always a case of spinning many plates, with leaders forced to balance the fight against threat actors with efforts to keep staff following the rules, as well as empowering them to be productive without restriction.
As any security professional will admit, it’s often in moments when employees don’t follow these rules or make a mistake that attacks against businesses are successful.
Whether an employee fails at good cyber hygiene by reusing a password or interacting with a phishing email on their work device, a company’s cybersecurity really is only as strong as its weakest link.
Almost three-quarters (74%) of global CISOs surveyed as part of Proofpoint’s 2024 Voice of the CISO report pointed to human error as their biggest cybersecurity risk, an increase of 14% compared to the 2023 report.
The majority of CISOs (80%) also reported concern over the impact of human risk on their business’s cybersecurity posture over the next two years. This is why a human-centric approach to security is critical.
To address this, businesses are increasingly looking to run cybersecurity training programs for their staff. These may expose employees to fake phishing emails or provide them with helpful tips on avoiding the most common cyber hygiene mistakes.
It can be hard to know where to start, however, and harder still to know what course structure and content would really benefit staff.
Partners in preventing crime
This is why companies need to engage with a trusted security vendor with years of experience and the necessary resources to support workers through their training and adoption experiences.
To start, leaders could look to Proofpoint’s free cybersecurity reporter-themed awareness training kit (available in English, French, German, Italian, and Spanish), which offers curated educational resources for up-to-date cybersecurity training. These can then be provided to staff in a way that best suits their working environment.
With the kit, employees are exposed to emails styled to emphasize the telltale signs of suspicious digital behavior, advice for internal communications strategies surrounding the training, and infographics on threat campaigns.
The kit also includes relevant information on AI threats – scams created using generative AI such as phishing emails, deepfakes and voice clones. These are among the most novel threats employees will face in 2024 and beyond, which demand the latest in cybersecurity insights to mitigate against.
The increasing availability of free generative AI tools has allowed threat actors to launch personalized attacks at greater volume than ever before.
Large language models (LLMs) even allow attackers to generate convincing responses to user replies, with a consistent tone of voice across an email thread. As the LLM will generate responses to the victim’s replies, the attackers no longer have to even possess a firm grasp of the language in which they conduct social engineering. Proofpoint’s most recent State of the Phish report found evidence of this in business email compromise attacks. While volumes have been falling globally, they increased year-on-year in Japan (35%), South Korea (31%), and the United Arab Emirates (29%) as generative AI enabled attackers to overcome cultural and language barriers that had previously made these territories less appealing.
Legacy cybersecurity training stressed the importance of double-checking emails for typos or strange contact names, but generative AI has made it harder for employees to recognise a genuine email from a malicious one. Workers need to be given information on the most sophisticated attack vectors and truthfully told to be distrustful of text, audio, or even video purporting to be from a legitimate source.
For example, voice clone software such as Microsoft’s VALL-E is capable of replicating a user’s voice based on just three seconds of reference audio.
Threat actors depend on employees lacking awareness of these latest advances to improve their chances of success with social engineering attempts. This is where the value of robust cybersecurity education via a partner like Proofpoint is so vital. No one can claim to take a security-first approach to the modern threat landscape without a firm grasp of what’s targeting them.
Proofpoint’s kit covers the basics of noticing whether something is AI-generated, an important skill that will help workers filter out the low-effort AI content being deployed to cast a wide net for victims.
While AI is becoming a point of concern due to its potential as an offensive tool, some CISOs are turning to the technology to fight fire with fire. In 2024’s Voice of the CISO, some 87% of respondents indicated they are investigating using AI to identify and mitigate employee errors or flag anomalous activity.
This is still an imperfect approach, though, and it must be supplemented by each and every employee using their judgment on potential AI content.
AI detection tools that claim they can automatically determine whether content has been manipulated or entirely fabricated using AI, are still unreliable at best. Employees will still need to rely on their intuition and ability to spot odd details, as taught by training, like that found in Proofpoint’s Cybersecurity Awareness Month Kit.
It’s also worth noting that as a dedicated security vendor, Proofpoint is better-positioned to analyze and publish the most recent attack methods hackers use than an in-house security team could be. Proofpoint analyzes more human communications than any other cybersecurity company, giving them more insight into threat actor’s evolving tactics from email fraud, ransomware, data theft, and other risks that matter.
As fake photo and video content becomes more and more convincing, Proofpoint can help staff identify the main ‘tells’ that content is illegitimate beyond the surface layer.
A helping hand for messaging around attacks
Although simulated attacks and cybersecurity training courses help to make staff safer, they are not foolproof.
The UK’s National Cyber Security Centre (NCSC) has previously criticized phishing tests as misleading when conducting a company-wide cybersecurity assessment.
It noted that the testing alone is not enough unless complemented with a proper communications strategy. Instead, it recommended being as transparent as possible with staff concerning the reasons for the testing.
It’s certainly important that staff are provided with the right kind of internal messaging, follow-ups, and constructive discussions surrounding their cybersecurity training. For example, if a company is in the process of running phishing simulations staff should be given insights into their success rate and told what the giveaways were in simulated attack emails.
Staff who do fall for simulated phishing attacks may need individual follow-ups and be given targeted refresher training on the easiest ways to identify suspicious messages, rather than being called out or simply treated as an office statistic. All of this is far easier to achieve with the help of a trusted cybersecurity partner.
Beyond its free Cyber Awareness Kit, Proofpoint has a long record of working hand-in-hand with enterprises to craft lasting cybersecurity strategies. Through its paid services, leaders can access more bespoke content tailored to the threats their businesses face as well as features like an activity log to mark employee progress, and shareable reminders to take cybersecurity tests on a regular basis.
All of this helps cement the common steps needed to overcome threats within your business. Most importantly, workers must be encouraged to embrace security principles every day of the year, rather than simply during cybersecurity awareness month.
There’s no time like the present to get employees on board with security-first principles. But as with education in any specialized field, it’s best to go straight to the experts for help bringing staff up to speed. With its extensive content and ability to tailor training to a firm’s biggest weaknesses, Proofpoint stands ready to plug the gaps in employee cyber resilience.
To learn more about what Proofpoint can do for your business, click here.
Source link