Individual workers have long been considered easy targets for threat actors, presenting an excellent opportunity to gain access to enterprise IT networks without having to overcome defenses such as firewalls.
Compromised accounts have been responsible for some of the most devastating attacks against organizations in recent years. The SolarWinds supply chain attack in 2020, for example, was directly caused by a compromised account due to poor password security.
Since then, attackers have intensified their attacks against organizations. As always, ransomware remains a widespread threat for many businesses. Proofpoint Research State of phishing in 2024 One study, for example, showed that globally 69% of organizations were infected with ransomware last year.
Threat actors are also employing increasingly sophisticated social engineering techniques, such as phishing and business email compromise (BEC) attacks, to compromise individual users and wreak even more havoc on businesses. organizations.
He State of phishing in 2024 The study showed that more than 66 million BEC attacks were detected and blocked throughout the year, highlighting the scale of the threats now facing organizations and individual staff.
For several years, BEC attacks have been growing in both scale and intensity and are now among the “most costly threats to organizations globally,” according to Carl Leonard, EMEA Cybersecurity Strategist at Proofpoint.
By analyzing what is driving this increase in both attacks and compromised users, Proofpoint's research points to a worrying widespread culture of “risk taking” among certain workers, which is putting organizations at significant risk.
Proofpoint said that while cybersecurity-related headlines “often focus on clever social engineering and zero-day vulnerabilities used by attackers,” a major recurring problem lies with users.
“Cybercriminals don't always have to try so hard,” the company said.
He Phishing status A survey showed that 76% of working adults in Europe and the Middle East admitted to having “taken a risky action” in 2023. This included reusing or sharing passwords, for example, or clicking on links from unknown senders.
A significant party was also found to have provided credentials to an “untrusted source.” It is worrying that 95% of them did so knowing they were at risk.
Ultimately, 58% of users who took risky actions adopted behaviors that would have put them at risk for common social engineering tactics.
“People are a key part of any good defense,” the Proofpoint study states. “But they can also be the most vulnerable. They can make mistakes, fall for scams, or simply ignore best security practices.”
Why users take risky actions
According to Proofpoint, there are a variety of factors that contribute to users taking risky actions in the workplace, but most commonly it comes down to convenience.
39% of workers surveyed in Europe and the Middle East said they took risks because it was convenient for them to do so, while almost half (41%) revealed they did so to save time.
Workplace pressures were also a factor; Nearly a quarter (24%) said they took risks to meet urgent deadlines, while 9% said they did so to meet performance goals.
Lack of clarity on cyber obligations is a key obstacle
Part of the problem is that many users are unsure of their responsibilities regarding cybersecurity.
83% of security professionals in Europe and the Middle East told Proofpoint that “most employees know they are responsible for security.” In contrast, 58% of users said they were “not sure” of their responsibilities or stated that they were not responsible at all.
Proofpoint warned that this “lack of clarity” about who is responsible can have potentially disastrous consequences for companies.
This emphasizes the need for a clear strategy around security education for staff at all levels of the company, Proofpoint said. It is essential to ensure that staff are equipped with the tools, experience and confidence to operate safely in their daily roles.
What can be done to prevent risky cyber behavior?
According to Proofpoint, there are several ways organizations can prevent risky behavior among staff and improve overall security resilience. This includes implementing robust tools and solutions to eliminate guesswork for staff along with stepped-up efforts to improve education and awareness.
This type of initiative can be both a draw and a push, as staff themselves are interested in improving their understanding of cybersecurity threats, Proofpoint found.
94% of workers in Europe and the Middle East said they wanted organizations to “make security easier” for them, while 88% asked for more training options to improve their understanding of security issues.
Proofpoint recommends that organizations take a two-pronged approach to this issue, focusing on two specific groups: those who understand security-related responsibilities and those who do not.
For those aware of their obligations, IT and security leaders should “provide tools that enable people to be more proactive.”
This includes email reporting tools that allow staff to easily identify suspicious messages. Similarly, “nudge” technologies such as email warning labels were found to be a very effective tool in the hands of savvy security workers.
From a cultural perspective, creating a “champions network,” in which knowledgeable staff members model best practices, also represents a key tactic for organizations seeking to bolster workforce cyber resilience. This helps workers see tangible, real examples of how they should behave, Proofpoint said.
For workers on the other side of the knowledge gap, education is key
According to Proofpoint, users who shirk their security obligations and frequently make risky decisions on this front require personalized advice and information based on their unique roles and circumstances.
Communication, the company said, is essential. As such, IT leaders must emphasize the importance of strong security practices and the potential impact that risky behavior can have on the organization.
In this case, security solutions can help equip workers with vital tools to help close knowledge gaps.
“Advanced solutions can help balance tighter security controls with productivity by reducing the number of threats users face,” Proofpoint said.
“For example, implementing an email security solution that is 99.9% effective means that most users will never have to decide how to respond to a suspicious link.
“Finally,” the company continued, “work with business stakeholders and prioritize ease of use when implementing security policies. Users will be less willing to bypass systems if security aligns with their goals. And they are more likely to use a control if it is intuitive and does not require any training.”
Know more
Learn more about Proofpoint's findings in Europe and the Middle East in its on-demand webinar, State of Phish 2024: a year of change in Europe and the Middle East. You can find information on how to register. here.