Protecting the Weakest Link: Why Human Risk Mitigation is at the Core of Email Security

Originally published by Abnormal.

Written by Jade Hill.

Blame has long been placed on people as the biggest vulnerability in cybersecurity. And while it isn’t exactly a hot take, I deeply believe that we can’t blame people for just trying to do their jobs, track a package, or win a contest.

How can we blame an employee for simply trying to do their best at work? That might mean an executive assistant buys some gift cards at the request of their boss, or a finance director changes the banking information for an invoice per instruction from the CFO. Or perhaps someone is in the middle of an important project with an immediate deadline when they receive notice that they need to update their password to keep access to their account.

These and many other normal daily business interactions are exploited by attackers. So while we can’t blame people for simply trying to do their jobs well, we can acknowledge that people are a known weak spot for which cybersecurity strategies must compensate.

Why Human Vulnerability is Targeted

Software vulnerabilities, misconfigurations, and physical system attributes can be exploited to access a corporate environment. But not only are these attacks more technically challenging, they are more likely to be noticed by a security tool or SOC analyst combing through logs.

So why target systems when you can simply target people? Especially when this tactic comes with both less work and a higher success rate?

People are wired to trust other people. Psychologically, we have an innate desire to believe in others and find belonging, and our digital lives inherited this trust—extending the need for connection across the interwebs. Savvy attackers take advantage of these human psychological needs, twisting them into weaknesses and exploiting them for personal gain.

There is no denying that our lives today are nearly 100% connected, with ample opportunity for an attacker to target human vulnerabilities through digital communication—and no channel is more susceptible than email. In fact, 68% of attacks last year leveraged the human element, with four main ways that may lead to a successful compromise:

1. Genuine Error: True accidents happen. Great, well-crafted phishing attacks are oftentimes successful, especially with limited security tools in place. If it’s up to an employee to have SOC analyst skills to stop every phish, then there will be errors and accidents that lead to compromise via email.
2. Identity Compromise: Accounts can become compromised via a variety of ways. For example, if an employee’s credentials are reused between personal and corporate log-ins, a compromised social media account or personal email could lead to a corporate identity breach.
3. Alternative Phishing: Phishing isn’t exclusive to email. A Slack chat, Teams message, text, phone call, even a video call can be used to exploit employees. And while employees may be well-trained to notice common phishing tactics in email, they may be more easily deceived in another less-obvious channel.
4. Malicious Intent: And finally, there’s always the chance that an employee could provide their credentials or enable an attack on purpose. Malicious insiders aren’t tricked, but rather intentionally compromise other employees for their own gain.

Regardless of the general category or specific attack method, bad actors are constantly trying to extract credentials, steal other personally identifiable information, or directly steal money from their targets. With humans being the easiest path to greatest return, it only makes sense why they would choose to target them.

How AI Can Protect the Human Vulnerability

In response, organizations have historically implemented security awareness training and programs, believing that educating employees was the best way to solve the problem. Unfortunately, this results in a situation where employees must be right every single time in order to stay safe, while attackers only have to be right once.

Rather than focusing on the people who make (understandable) mistakes, security leaders must take a critical look at the technology safeguards that can be put in place to remove the burden (and blame) from end users. But while there are loads of tools and a decades-old email security market focused on this attack surface, this simply isn’t stopping the problem. After all, business email compromise alone cost organizations $2.9 billion last year, and this number continues to grow each year.

Instead, organizations should turn to AI to uplevel their protection and better protect humans from themselves. The right email security tool can solve the human vulnerability problem, ensuring that security leaders can feel confident that their employees are not responsible for stopping each attack.