It’s almost 2021 and time for agencies to rethink their security strategy. Recently, there has been a rise in the number of socially engineered attacks, and in order to combat these social attacks effectively, government agencies need to consider a people-centric security approach to better protect sensitive information. Despite this ominous outlook with email being the primary threat vector for socially engineered attacks, mitigation is possible through training and education for agency workers.
Bruce Brody, Resident CISO, Federal Proofpoint, shared his perspective on a people-centric security strategy in a recent webinar. From his perspective, “the resilience of the user is becoming more and more important,” because people are becoming “the new endpoint.” According to the session, a Gartner report stated that only 10 percent of security spending is on email for the typical enterprise. Conversely, a Verizon report shows that 94 percent of breaches start with attacks targeting people. This highlights a “gross imbalance that needs to be solved,” Brody commented.
People-centric security can be broken up into three categories of protection:
- Protection of email with threat detection and response, information protection, archive and compliance, and fraud defense.
- Protection of people with threat simulation, awareness training, compliance training, and risk analytics.
- Protection of what people access by putting in place cloud threat protections, information protection, secure access edge, and insider threats management.
The number one threat vector, email, can be protected against by focusing on people-centric security solutions. While it used to be executives whose email was targeted in these attacks, what is trending now are attacks on mid-level managers, for example, who have access to privileged information in the daily course of their jobs. As Brody surmised, this needs to initiate a change of strategy and “focus on Very Attacked People (VAPs) rather than your VIPs.”
Bill Marciesky, Systems Engineer, Federal Accounts for Proofpoint, echoed Brody’s concerns that “threat actors are adept at using publicly available databases, search engines, and social media to map out the org chart to assess risk, vulnerability, privilege, access, and important at a human level, then going after these human beings with powerful digital weaponry in their arsenal.” In other words, threat actors have become very sophisticated and are able to “rely on their target to do their dirty work on their behalf,” said Marciesky.
For Marciesky a strong example of this is how threat actors exploit the use of Visual Basic for Applications (VBA) macros. He explained that a “VBA macro alludes to a Microsoft Office document that is used as an exploit. When a user is instructed to leave protected view in enabled editing, unbeknownst to them, a malicious script is usually executed in the background.” This threat in combination with Business Email Compromise (BEC) and Email Account Compromise (EAC) are on the rise. Marciesky stated that “over $26 billion dollars in over 150,000 organizations worldwide targeted have fallen victim” to BEC and EAC threats and he believes that this is just the beginning.
There is an urgent need for spending on email security to be increased across the federal government. Marciesky concluded with the statement that “threats specifically start with email. Yet, email-based security often gets the least attention.” In the coming year, it is time for agencies to rethink their security strategy and take on a people-centric security approach.
Ready to become people-centric with your security? Click here.