Five Ways to Defend Against People Risk & User Error

With the increased incidence of “social engineering” tactics like phishing, people have become one of the biggest security risks for organizations of all types.

Understanding Cyber Risk

There are two sides to cyber risk that brokers should understand when selling a cyber policy. 

One gets talked about the most (at least by vendors who sell cybersecurity solutions): IT defenses. That means being prepared to keep out snooping hackers with technology solutions like firewalls and encryption, monitoring to know when an attack is taking place, and defense plans to take action when you are being attacked. 

The other side of cyber risk is less sexy because it has no easy solutions. That is the people: your clients’ employees, their business partners, and their clients. With the increased incidence of “social engineering” tactics like phishing, people have become one of the biggest security risks for organizations of all types -- government and private industry; high-tech and old-school; large and small. 

After many high-profile reports of social engineering in the past few years, there has been a surge in organizations providing information and training for their employees, teaching them to look out for these social engineering tactics. Perhaps you’ve sat through a mandatory webinar yourself. Those efforts are starting to pay off, as surveys this year have started to show reductions in self-reported risk in categories that include phishing and social engineering. Yet the continued prevalence (and success) of malware and phishing points to the limitations of training and education. Cybercriminals aren’t giving up so fast.

In fact, your client’s technical defenses can directly impact social engineering risk. Criminals go after companies they can identify as having low defenses because they are less likely to have adequate training programs in place. Often the victims in these situations are smaller companies without dedicated IT resources to provide proper education and protocol to their employees. At the other end of the spectrum, larger established companies whose sheer scale prevents them from being able to take advantage of the most up-to-date IT defenses can provide fertile ground because their organizational complexity is easy to exploit. 

Whatever category your client falls into, there are steps they can take to mitigate risk. 

Defending Against “People Risk”: Five Ways to Prepare

With social engineering and phishing, your “defenses” are a combination of your technical defenses and of your people. At Corvus, we review your IT setup and identify any gaps that could lead to greater vulnerability (this is included in our Dynamic Loss Prevention reports). Any business should cover 5 key aspects to both prevent and mitigate the impact of “people risk”:

Training and Education

• Social engineering often comes down to a momentary lapse in judgment - someone absentmindedly clicked a link or rushed to respond to an email without thinking it through. Employees often know soon after they’ve made a mistake that something is wrong, but the damage has been done. That’s why regular education is critical to help them get ahead and recognize the signs of a social engineering effort. Routinely educating employees with examples of what to look out for is now a necessity for any organization. Organizations can even learn if they are at elevated risk by looking at how many new employees they have since new employees are most at risk for falling for social engineering. If your clients aren’t already engaged in some sort of training and education, this would be the first step.

Monitoring Sentiment

• Look out for rogues. What looks like a social engineering incident is not always an accident; sometimes the call is coming from inside the house. Monitoring internal employee sentiment may help your client identify trends in morale that may lead to disgruntled employees before a cyber event occurs. This could involve using reports that gather data from sites like Glassdoor and LinkedIn to help your client know when their risk is highest.

Monitoring Dark Markets

• Being aware of the risks your employees face is critical. People often reuse passwords, so your clients should ensure that their employee's passwords, emails, and other info are not showing up for sale in databases used by cybercriminals. This requires gathering data through dark-web monitoring on an ongoing basis to stay ahead of the curve.

Response

• With a high likelihood that any organization will be affected by social engineering at some point, your clients should have proper resources to respond to cybersecurity events. Ensuring that the proper staff in place to respond to cyber events can mitigate the impact or stop breach incidents altogether. Services exist to guide clients through the response to a breach as part of some cyber insurance policies.

Transferring Risk

• Cyber insurance policies typically offer coverage for the types of social engineering exploits that lead to losses for your clients. The best policies go beyond coverage and help to inform the policyholders’ strategy for preventing losses. Many of the services mentioned above come as a value-add with cyber insurance policies, such as phishing testing, monitoring of company employee sentiment, evaluation of your IT team staffing, and dark web monitoring. Cyber insurance also helps clients navigate the stressful situation of dealing with a breach, including finding third-party resources to help.

Perhaps you’re gathering the conclusion here: gathering data on how risky your client’s business is and having a response plan in place are key to ensuring that the right level of effort is taken to mitigate risk and prevent loss.