Security leaders still consider ransomware to be the biggest threat facing them today, despite a year of social engineering attacks dominating news headlines.
The finding comes from a new report by Proofpoint, drawn from a survey of 150 UK and Ireland CISOs and CSOs. The research also shows that more than half of respondents believe human error is the biggest risk to their business, which begs the question: why ransomware?
It's mostly because the two types of attack are not separate, says Proofpoint Resident CISO Andrew Rose.
"If I want to get into your organisation and commit some really big financial fraud, what I may well do is I would steal some credentials from your organisation, log in as one of your members of staff and then pretend to [be someone] … So, you've stolen an account to start that fraud and you've done that through social engineering … If you want to do a ransomware attack, a good way to do that is to actually steal someone's credentials, log on as them and use their credentials to actually apply malware…
"Social engineering is endemic to both of those attack paths, whether you're trying to steal money or whether you're trying to implement code and put ransomware down there."
Social engineering is widely accepted to be the easiest way into an organisation, which speaks to the success of IT in other areas. Security professionals have done a great job in securing the environments they're responsible for, leaving attackers with one obvious access point.
Still, infrastructure attacks are not unheard of. Criminals were quick to exploit a vulnerability in Pulse VPN last year; but when organisations began to apply patches, they quickly pivoted back to people.
Singling out your VAPs
With the majority of businesses worldwide operating remotely, it has become more important than ever to know who your most at-risk employees are - something more than two in five CISOs struggle with.
Rose advises using a Venn diagram of Vulnerability, Attack and Privilege:
"Who are the staff who are going to constantly click, and who hasn't done their training this year? … You tend to get certain people in certain roles who fit into that, unfortunately: they're the ones who are incentivised to open the things and engage with the emails that come in … So, all that comes into that Vulnerability piece. That's the first piece.
"The Attack piece is quite simply, who gets attacked the most? Because certain people, when you look at the analysis, really do attract the attention of the attackers … That might link back to a very open LinkedIn profile, which says 'I'm head of payroll' or something like that…
"The final piece of the puzzle is the Privilege. So, who has those access rights? Who has access rights to have admin permissions within the system? Who has access rights to the sensitive information? Who's got access to all the financial abilities to pay cheques, pay invoices, etc?"
The people at the centre of the diagram will be the most vulnerable people in your organisation. There is no single way to protect them; one of the ‘joys' of security is that the answer to every problem is contextual, and it's up to the CISO to craft a bespoke solution.
Don't call it awareness training
Education is one solution. Only about a third (28 per cent) of CISOs in Proofpoint's survey said they run a comprehensive training programme more than twice a year, although nearly three-quarters (73 per cent) want to improve on the training they offer.
Training is good, but Rose says the language needs to change; referring to it as ‘security awareness' is outdated.
"The analogy I constantly use on this one is smoking. Smoking has 100 per cent awareness that it's dangerous for you because it's written on every packet, but still people smoke. So how do you change awareness into behaviour? And how do you change behaviour into culture? That's what these CISOs need to focus on: this isn't about security awareness anymore, it's about behaviour."
Changing behaviour is key to lowering your risk. Social media companies like Facebook and Instagram don't get repeat visitors purely through awareness; they make a concerted effort to change behaviour, to turn visiting a site into part of your day. Awareness is only the first step, and the same applies to security.
"Awareness is the first piece, and it'll give you some return, but don't stop there. So many CISOs do that … You haven't finished, you have to change it and start to call it a culture programme or behavioural programme."
There is good news on this front: three-quarters of CISOs in Proofpoint's survey expect their budgets to rise over the next two years, and half say they'll invest in training as a top priority. Rose also expects a significant investment in consolidation and visibility.
Businesses have undergone dramatic changes since March 2020. Massive cloud adoption, acceleration of digital transformation and - typically - a spike in shadow IT are just a few of the common results. Rose stresses that CISOs cannot and will not rest easily until they're confident that they have control.
"Lots of CISOs have just not got that deeper confidence that everything is done. They've ticked off some of the big risks, but it's like, 'We're not finished here. I need to go back and look at what we did in 2020 and make sure the controls we put in place are still there, they're still working, people haven't bypassed them; that shadow IT hasn't come in and given me a new data feed that I've never seen before, that I've got no control over'.
"If budgets recover in 2021, as we sort of expect them to, I think you'll see CISOs going back and investing in things like data leak prevention and insider threat management, to make sure they've got full visibility of how the organisation's changed in the past 12 months. They'll bring more training back in, and they'll look at compliance issues, as well."
Security is a massively broad area; from the people physically guarding the data centre, to the ones building your code base. As the sun begins to peek out and news about the pandemic continues to improve, CISOs and CSOs deserve both time and support to make sure their own reports can be equally uplifting.