Fostering a safety culture among employees is an important part of building an information security system in companies. But research has shown that phishing cyberattacks lead to compromise most often not at the expense of the entire team, but only part of it. On average, no more than 12 % of employees succumb to this risk.
Content:
Introduction
Data Breach Investigation Report 2022
Phishing only affects 4.1 % of users
"Insider" for phishing attacks — who is he?
Portrait of an employee who is prone to risky operations
Attackers are changing tactics
Conclusions
Introduction
Data Breach Investigation Report 2022 Phishing only affects 4.1 % of users "Insider" for phishing attacks — who is he? Portrait of an employee who is prone to risky operations Attackers are changing tactics Conclusions Introduction As part of the popular BlueHat 2023 security community organized by Microsoft, Masha Sedova, co-founder and President of Elevate Security, recently gave a speech. Elevate Security is a startup that develops as part of the Microsoft Pegasus partner program. He conducts market research, participates in projects to improve working teams and conduct information security trainings for them. The topic of Masha Sedova's presentation was the results of a study of a huge database on phishing and cyber attacks using malware collected around the world over eight years - from June 2014 to July 2022. The data was provided by numerous Microsoft partners. Among the fifty such information security companies was, in particular, Kaspersky Lab. Elevate Security has set itself the task of finding patterns in the collected data, conducting simulation testing to test the hypotheses formed, and trying to understand what features exist in the distribution of phishing and malware, and how they are used (if such a thing really exists) by intruders.
Data Breach Investigation Report 2022
Previously, we should recall a number of interesting conclusions that were presented a year ago in the report of a group of researchers from the American telecom company Verizon. It should be noted that the latter stands out from other players in the telecom market for its attention to the development of new 5G technologies and security. According to DBIR 2022, the vast majority (82 %) of incidents that resulted in confirmed data compromise were directly related to the human factor. The collected global statistics suggest that the attackers managed to concentrate on their main goals in this way: theft of financial data and industrial espionage. The attackers were primarily interested in accounts (63 %), corporate information (32%) and personal data (24%). As reported in the report, the actions of intruders were primarily manifested in the form of phishing (68 %), illegal receipt of credentials (32%) and fraudulent (pretexting) attacks (30%). Cybercriminals used several methods at once to effectively achieve the result. The analysis showed that the attackers ' actions were primarily aimed not at overcoming the installed software protection, but at forcing employees of companies to perform an erroneous or malicious action. Man, therefore, is still the weakest link in the defense.
Phishing only affects 4.1 % of users
Let's return to Masha Sedova's performance at BlueHat 2023. The aim of the Elevate Security study was to test the thesis that cyber attacks aimed at stealing data directed against employees prevail over attacks against software protection tools. The results showed that this hypothesis was formulated inaccurately. The majority of users have a high degree of resistance to phishing cyber attacks: 76 % of employees never click on malicious links that they receive through corporate mail or instant messengers. Only 4% of users were responsible for 80% of successful phishing traffic. A similar pattern is observed in relation to malware infection: 93 % of employees do not commit actions that can lead to such an incident, and 3% of users are responsible for 92% of cases of infection penetration. This phenomenon is explained, according to Masha Sedova, by the fact that most people for one reason or another are not inclined to take risky actions. "Risk appetite" is typical only for a small part of employees. To make sure that the detected pattern is correct, Elevate Security researchers conducted a series of simulated "phishing" attacks in partner organizations. Samples of unsolicited emails taken from real life were used, but the attacks did not pose a threat to companies. More than 3.4 million harmless phishing emails were sent for research purposes. These experiments showed that only 7.6% of users opened fake emails, and even fewer employees clicked on the phishing link — only 4.1 %.
"Insider" for phishing attacks — who is he?
The hypothesis put forward by Elevate Security was that there are groups of employees in companies whose actions pose the greatest risk from the point of view of various cyber attacks. Accordingly, it was necessary to distinguish these user groups by any characteristic features. The researchers decided to define a threshold level of propensity to click on phishing links in order to cut off those employees who sometimes mistakenly commit unsafe actions, but in general do not belong to the risk group. Experimentally, these thresholds were found, according to which Elevate Security suggests classifying people as "high risk users" (high risk user). The data is presented in the table.
Note that the table mentions two types of phishing attacks: actual (results of actual employee activity) and estimated (based on the results of experimental verification). Threshold values are also divided into two types: average values, which indicate a transition to a high-risk area, and maximum values, which indicate that they belong to the category of users with a high level of risk.
Portrait of an employee who is prone to risky operations
What is the real percentage of employees who are inclined to perform risky operations? Are their behavior patterns related to the roles they play in companies? According to Elevate Security researchers, on average, the share of employees who are prone to risk is about 12 %, although in fact it can vary from 5 to 20%, depending on various specifics. Elevate Security also calls the" price "of such employees' presence: they account for about 30 % of all phishing incidents, about 54 % of all dangerous browser traffic, and 42 % of all malware infections. The researchers didn't stop there. Having on hand the results of checking real-life and simulated phishing attacks, they determined the shares of "risk users" depending on the nature of their activities (different departments of companies). This summary data is shown in the diagram.
As a result, it was hypothesized that the type of activity to a certain extent determines the propensity to perform risky operations. This statement by Masha Sedova caused not only interest from offline listeners of BlueHat 2023, but also laughter in the audience. Therefore, this thesis can probably be considered controversial.
The researchers also tried to assess the tendency of company managers to fall for the tricks of intruders. According to the collected statistics, the greatest risks should be expected from middle managers, while senior management and junior management are more "safe". The final data is shown in the diagram.
The reader may find the results obtained regarding the riskiness of management questionable. It should be noted that we are talking about a very small part of users (10-12 %). An estimate of the accuracy of the distribution was also not provided, although all data are probabilistic in nature. But on a qualitative level, these data are undoubtedly interesting. Speaking at BlueHat, Masha Sedova also provided a chart on the relative proportion of employees who make it easier for attackers to conduct cyber attacks against themselves. According to these data, more than half of users (52 %) never respond to the appearance of malicious links. The remaining part has a very wide distribution.
Among those users who still sometimes fall for the hook of scammers, the majority (75 %) are not inclined to take risky actions. Attackers manage to involve only a small part of employees in their malicious process: about one percent. They account for the majority of clicks on phishing links.
Attackers are changing tactics
The peculiarities of user psychology and their propensity to perform risky operations are already actively used by some attackers, Masha Sedova believes. According to an analysis of real phishing attacks, a small part of high-risk employees already account for about 41 % of all successful cybercrime operations. Note that these are the results of experimental studies and should be treated with due caution. But the hypothesis that attackers will soon stop sending their malicious emails to all employees in a row seems to have every reason to be reliable. AI and automation, as well as the development of software tools for assessing users ' propensity to perform certain risky operations, can lead to attackers switching to more targeted phishing emails, increasing the effectiveness of their attacks.
Conclusions
Elevate Security evaluated the participation of employees in the implementation of cyber attacks against companies. As it turned out, the responsibility for this lies mainly with a very small group of users. The methods proposed by Elevate Security are also interesting because they can help evaluate users ' information security training when selecting candidates for repeated training in the basics of cybersecurity. Similar tests can also be carried out at the recruitment stage or to assess the overall safety culture within the company.
Content:
Introduction
Data Breach Investigation Report 2022
Phishing only affects 4.1 % of users
"Insider" for phishing attacks — who is he?
Portrait of an employee who is prone to risky operations
Attackers are changing tactics
Conclusions
Introduction
Data Breach Investigation Report 2022 Phishing only affects 4.1 % of users "Insider" for phishing attacks — who is he? Portrait of an employee who is prone to risky operations Attackers are changing tactics Conclusions Introduction As part of the popular BlueHat 2023 security community organized by Microsoft, Masha Sedova, co-founder and President of Elevate Security, recently gave a speech. Elevate Security is a startup that develops as part of the Microsoft Pegasus partner program. He conducts market research, participates in projects to improve working teams and conduct information security trainings for them. The topic of Masha Sedova's presentation was the results of a study of a huge database on phishing and cyber attacks using malware collected around the world over eight years - from June 2014 to July 2022. The data was provided by numerous Microsoft partners. Among the fifty such information security companies was, in particular, Kaspersky Lab. Elevate Security has set itself the task of finding patterns in the collected data, conducting simulation testing to test the hypotheses formed, and trying to understand what features exist in the distribution of phishing and malware, and how they are used (if such a thing really exists) by intruders.
Data Breach Investigation Report 2022
Previously, we should recall a number of interesting conclusions that were presented a year ago in the report of a group of researchers from the American telecom company Verizon. It should be noted that the latter stands out from other players in the telecom market for its attention to the development of new 5G technologies and security. According to DBIR 2022, the vast majority (82 %) of incidents that resulted in confirmed data compromise were directly related to the human factor. The collected global statistics suggest that the attackers managed to concentrate on their main goals in this way: theft of financial data and industrial espionage. The attackers were primarily interested in accounts (63 %), corporate information (32%) and personal data (24%). As reported in the report, the actions of intruders were primarily manifested in the form of phishing (68 %), illegal receipt of credentials (32%) and fraudulent (pretexting) attacks (30%). Cybercriminals used several methods at once to effectively achieve the result. The analysis showed that the attackers ' actions were primarily aimed not at overcoming the installed software protection, but at forcing employees of companies to perform an erroneous or malicious action. Man, therefore, is still the weakest link in the defense.
Phishing only affects 4.1 % of users
Let's return to Masha Sedova's performance at BlueHat 2023. The aim of the Elevate Security study was to test the thesis that cyber attacks aimed at stealing data directed against employees prevail over attacks against software protection tools. The results showed that this hypothesis was formulated inaccurately. The majority of users have a high degree of resistance to phishing cyber attacks: 76 % of employees never click on malicious links that they receive through corporate mail or instant messengers. Only 4% of users were responsible for 80% of successful phishing traffic. A similar pattern is observed in relation to malware infection: 93 % of employees do not commit actions that can lead to such an incident, and 3% of users are responsible for 92% of cases of infection penetration. This phenomenon is explained, according to Masha Sedova, by the fact that most people for one reason or another are not inclined to take risky actions. "Risk appetite" is typical only for a small part of employees. To make sure that the detected pattern is correct, Elevate Security researchers conducted a series of simulated "phishing" attacks in partner organizations. Samples of unsolicited emails taken from real life were used, but the attacks did not pose a threat to companies. More than 3.4 million harmless phishing emails were sent for research purposes. These experiments showed that only 7.6% of users opened fake emails, and even fewer employees clicked on the phishing link — only 4.1 %.
"Insider" for phishing attacks — who is he?
The hypothesis put forward by Elevate Security was that there are groups of employees in companies whose actions pose the greatest risk from the point of view of various cyber attacks. Accordingly, it was necessary to distinguish these user groups by any characteristic features. The researchers decided to define a threshold level of propensity to click on phishing links in order to cut off those employees who sometimes mistakenly commit unsafe actions, but in general do not belong to the risk group. Experimentally, these thresholds were found, according to which Elevate Security suggests classifying people as "high risk users" (high risk user). The data is presented in the table.
Note that the table mentions two types of phishing attacks: actual (results of actual employee activity) and estimated (based on the results of experimental verification). Threshold values are also divided into two types: average values, which indicate a transition to a high-risk area, and maximum values, which indicate that they belong to the category of users with a high level of risk.
Portrait of an employee who is prone to risky operations
What is the real percentage of employees who are inclined to perform risky operations? Are their behavior patterns related to the roles they play in companies? According to Elevate Security researchers, on average, the share of employees who are prone to risk is about 12 %, although in fact it can vary from 5 to 20%, depending on various specifics. Elevate Security also calls the" price "of such employees' presence: they account for about 30 % of all phishing incidents, about 54 % of all dangerous browser traffic, and 42 % of all malware infections. The researchers didn't stop there. Having on hand the results of checking real-life and simulated phishing attacks, they determined the shares of "risk users" depending on the nature of their activities (different departments of companies). This summary data is shown in the diagram.
As a result, it was hypothesized that the type of activity to a certain extent determines the propensity to perform risky operations. This statement by Masha Sedova caused not only interest from offline listeners of BlueHat 2023, but also laughter in the audience. Therefore, this thesis can probably be considered controversial.
The researchers also tried to assess the tendency of company managers to fall for the tricks of intruders. According to the collected statistics, the greatest risks should be expected from middle managers, while senior management and junior management are more "safe". The final data is shown in the diagram.
The reader may find the results obtained regarding the riskiness of management questionable. It should be noted that we are talking about a very small part of users (10-12 %). An estimate of the accuracy of the distribution was also not provided, although all data are probabilistic in nature. But on a qualitative level, these data are undoubtedly interesting. Speaking at BlueHat, Masha Sedova also provided a chart on the relative proportion of employees who make it easier for attackers to conduct cyber attacks against themselves. According to these data, more than half of users (52 %) never respond to the appearance of malicious links. The remaining part has a very wide distribution.
Among those users who still sometimes fall for the hook of scammers, the majority (75 %) are not inclined to take risky actions. Attackers manage to involve only a small part of employees in their malicious process: about one percent. They account for the majority of clicks on phishing links.
Attackers are changing tactics
The peculiarities of user psychology and their propensity to perform risky operations are already actively used by some attackers, Masha Sedova believes. According to an analysis of real phishing attacks, a small part of high-risk employees already account for about 41 % of all successful cybercrime operations. Note that these are the results of experimental studies and should be treated with due caution. But the hypothesis that attackers will soon stop sending their malicious emails to all employees in a row seems to have every reason to be reliable. AI and automation, as well as the development of software tools for assessing users ' propensity to perform certain risky operations, can lead to attackers switching to more targeted phishing emails, increasing the effectiveness of their attacks.
Conclusions
Elevate Security evaluated the participation of employees in the implementation of cyber attacks against companies. As it turned out, the responsibility for this lies mainly with a very small group of users. The methods proposed by Elevate Security are also interesting because they can help evaluate users ' information security training when selecting candidates for repeated training in the basics of cybersecurity. Similar tests can also be carried out at the recruitment stage or to assess the overall safety culture within the company.
