Federal agencies are all too aware of the myriad of outside threats facing their organizations. Beyond looking at threats outside their organization, federal agencies should also be looking at insider threats and consider a people-centric approach to cyber security.
Bruce A. Brody, Resident CISO at Proofpoint Federal, shared in a recent report that “people have become the weakest link in the cybersecurity chain.” It is important for government workers to be aware that “the federal government’s information technology systems and networks have been and continue to be attractive targets for foreign intelligence services and other malicious actors in cyber space,” said Brody.
According to the report, “over 99 percent of cyber attacks are human activated, which means they need a human being to activate the attack by opening a file, clicking a link or being tricked into taking some other type of action.” To this end, it would make sense for agencies to change their focus from external attacks and focus on a people-centric approach to cybersecurity.
Common ways that threat actors initiate insider threat attacks are through phishing and password spraying, a “brute-force attack,” and by utilizing “credential-stealing malware.” With a password spraying attack, the goal is not only to steal credentials, but also “take over accounts in order to establish persistence and move laterally. This establishes a foothold for cybercriminals and allows them to search for important data and exfiltrate it,” according to the report. A recent Federal Bureau of Investigation report cited that there were “more than $26 billion in losses and more than 166,000 incidents worldwide in 2019 as a result of business email compromise (BEC) and email account compromise (EAC).”
For Brody the importance of taking a people-centric approach is important. “If federal CISOs truly want to mitigate the risk of a breach, security attention, and resources must shift from focusing on endpoints to focusing on people.” This is purely because, “attackers consistently use email as the No. 1 threat vector to launch attacks, primarily because it works.” With this in mind agencies have a responsibility to educate workers on these types of attacks and how they mine personal information in order to create a personalized attack.
While it used to be true that phishing attacks were primarily directed against C-suite executives, there’s been a shift in who exactly is the prime target. After examining the data Brody and the Proofpoint team coined the term: Very Attacked People™ or VAPs. These are the individuals that “have access to [data] and have the behaviors that indicate that they might fall for a modern, social-engineered attack.” Examples VAPs include: “someone on an important secretive project, someone who has the privileged access to transfer money, or someone who monitors the emails and manages the calendars of senior leadership.”
By using a people-centric approach to cybersecurity, government organizations are able to better manage risks and mitigate potential attacks. By starting with agency workers and building an information security infrastructure that is tailored to counteract the most likely threat vectors, federal agencies are able to get ahead of the threats and combat cyber attacks.
Interested in learning how to take a people-centric approach to cybersecurity? Watch the webinar here.