Why should you care about the behavioral risk of your employees?

Eighty-two percent of breaches include user behavior.?Not all are phishing, but a majority of them are just that. Phishing is, and has been for many years, the cheapest and most reliable way for an attacker of any motivation to establish a toehold in an organization. Social engineering and phishing are used for initial breach tactics, lateral movement, and elevation of privilege, and, in many cases, they directly lead to data exfiltration.

Worse, breaches cost companies a lot of time and money. Several security research companies have determined that the average data breach costs a company about USD4 million per incident.?Averting even a handful of breach events in any given year can save you millions of dollars and thousands of hours of valuable security operators’ time.

So, how does behavior play into this? Doesn’t my company spend a bunch of money every year on technical solutions to prevent those phishing attacks from making it through? Any organization that cares about its data certainly should invest in exactly those capabilities, but the strategy is incomplete for a few reasons:

• Technical solutions never have and likely never will provide perfect protection. Humans are capable of incredibly creative and intuitive thinking. Attackers with even a passing understanding of how protective solutions work can easily find gaps and workarounds. Decades of breaches have shown us that any determined attacker will find a way in. Assume breach principles hold that organizations should assume that their ecosystems are breached, that they should not automatically trust their existing protection boundaries, and that they should invest in detection and response mechanisms in equal measure to prevention.
• Humans are the most valuable part of any organization’s mission. They make all the data. They derive all the most valuable insights. They integrate and maintain all the complicated systems that make up any modern enterprise. An attacker can go after systems to get to data, but the inherent fallibility of humans provides a much more malleable target. You can’t insulate the people in your organization from that risk because they are almost always the ones responsible for creating the asset in the first place. Attackers know that and almost always incorporate social engineering into their plans.

• Human behavior, especially as it relates to risk, is an incredibly complicated and nuanced process. It is probabilistic in nature, and attackers know that. Factors include the context in which the behavioral choice is made, the knowledge of the human, the attitudes and motivations of the person, externalities such as time pressures and adjacent choices, and the past experience of the human. Any of those factors can change day-to-day, and so a phishing attack that a user correctly identifies and avoids might not work today but would fail to detect in some other context.

Given this context, why should an organization care about user behavior? One reason is that even small changes in behavior can result in significant reductions in risk and every breach you avoid saves you literal millions of dollars. Admittedly, behavior change is hard. The security awareness business has been working to help educate users for decades now, and the human behavior risk portion of the overall risk pie remains large.

To learn more about Cybersecurity, Visit our website.? Contact us? with our expert coverage on security matters. Also, follow us at?@Networkfort?for the latest news and updates on cybersecurity and networking.