Though the world of cybersecurity is perpetually shifting, one truth has remained constant: humans are generally the weakest link in an organisation’s defence.
Despite this long-standing flag, a significant cybersecurity awareness gap persists in South Africa, writes Zaheer Ebrahim, solutions architect for Trend Micro Middle East and Africa.
Recent national surveys by the Council for Scientific and Industrial Research (CSIR) reveal an alarming reality – less than a third of organisations have put more than half their employees through cybersecurity training in the past year.
It’s perhaps not surprising then that almost half of these organisations experienced between one and five cybersecurity incidents last year, with phishing and malware attacks leading the charge.
And it’s not just the frequency with which training is conducted that’s a challenge, but also the consistency with which training material is updated.
Often enough, these training modules aren’t even created in collaboration with the IT department. What’s worse, when outdated training does take place year after year this can lead to employees developing overconfidence in their ability to spot phishing attempts, leaving them even more vulnerable to exploitation.
While sub-par phishing attempts with bad spelling and suspicious URLs may have been easy to spot in the past, artificial intelligence has quickly eradicated these simple tells. Trend Micro’s recent predictions report warned of the potential for extreme and sophisticated “digital twins”.
In these cases, cybercriminals use personal information that has already been leaked to train a large-language model (LLM) so that the model is able to mimic the knowledge, writing style and personality of the employee they want to impersonate. If used in combination with deepfake technology, the malicious actor can make it almost impossible for the intended victim to realise they are dealing with an imposter.
We’ve seen incidents where even seasoned security experts have experienced close calls on the receiving end of AI scams. One scary instance involved an AI-generated phone call flagging suspicious activity on the user’s Gmail account.
Not only did the call appear to be coming from a legitimate Google number, but it was also conducted flawlessly in terms of its ability to mimic human conversation and even send a highly authentic follow-up mail on request.
As this level of AI-generated attack becomes increasingly prolific, it’s ill-advised for organisations to leave employees without the awareness and training they need to protect themselves.
Quantifying your company’s level of human risk
The good news, however, is that though bad actors are finding more calculated ways of targeting employees, we’re also developing more airtight approaches to protecting them.
Through a risk-based approach, it’s possible for businesses to identify high-risk employees before they are even targeted. AI-driven attack path analysis, for example, allows us to predict which employees are most vulnerable and proactively provide them with phishing simulations based on real-world attacks.
At Trend, for example, we have an extensive library of phishing simulations that authentically mimic the latest attacks employed by cybercriminals. These are constantly updated based on our threat intelligence and data.
Staff who are responsible for payroll are a good example of individuals who are at high risk of becoming targets. We can then put those employees through phishing simulations that are based on specific criteria such as their department or location.
Depending on their pass or failure rate, we then allocate an overall risk score to the organisation. These scores provide businesses with a holistic view of how human risk could impact their overall security posture, ultimately providing them with an objective understanding of where their greatest security risks lie and which of these are their highest priority to address.
For example, if an employee is tripped up by the simulated phishing campaign and “pays” a fake company thousands of dollars, the organisation can then apply Zero Trust rules and limit that individual’s day-to-day operations until they have completed tailored training.
Ideally these simulations should then be scheduled at regular intervals so that employees are consistently engaged in cybersecurity training.
In an era of sophisticated AI-driven cyberattacks, user education and awareness are vital. Simplistic phishing emails are a thing of the past; today’s landscape requires a nuanced, risk-based approach to managing human vulnerabilities.
By identifying high-risk employees and providing tailored, up-to-date training, organisations can turn their weakest link into a strong defense. Embracing this approach to cybersecurity is essential, as staying ahead in the evolving threat landscape is the only way to ensure organisational resilience against cyberthreats.