Humans remains a key vulnerability point of enterprise security strategies, according to a report from IT security provider Arctic Wolf, which found that 48% of more than 1,000 senior IT and cybersecurity decision-makers surveyed experienced concrete evidence of a security breach in the past twelve months.
According to the State of Cybersecurity: 2024 Trends Report, almost three quarters (70%) of all companies surveyed were the target of attempted business email compromise (BEC) or email account takeover attacks last year, with almost a third (29%) falling victim to one or more successful BEC incidents.
Additionally, 61% of organizations worldwide identified an insider threat in the last year. In 29% of cases, this resulted in a security incident, and in another third (32%) the threat was identified and resolved before it escalated to a security incident. Even 6% of the 39% who did not identify an insider threat within the last year admitted that they believe they are at high risk for insider threats.
As Sebastian Schmerl, regional vice president of security services for EMEA at Arctic Wolf, points out, not all of these insider threats are malicious or intentional.
“In many cases, it is unsuspecting users who, unknowingly or manipulated by attackers, carry out actions that then lead to a security incident,” he explains.
Schmerl cites examples such as downloading potential malware through calls and emails from a fake service technician or clicking on phishing links in emails, SMS, WhatsApp, Slack, or Teams messages. He adds: “This type of insider threat, just like BEC, can be reduced through an effective security awareness program.”
Effective security awareness training
The emphasis here is should probably be on effective. That’s because, according to Arctic Wolf, 88% of companies worldwide already have some form of IT security training in place, and another 10% are in the process of introducing such a program within the next 12 months.
But not all security awareness training programs are equal. Moreover, end-users typically loathe the training regardless of whether you follow best practices.
Additionally interesting is the fact that only half of the 88% who have security awareness training in place decided to purchase and implement IT security training. The other 44% decided to develop their own security awareness program.
There is nothing wrong with a company taking this initiative, says Arctic Wolf — as long as it takes the time to develop a high-quality program that reinforces key security concepts at regular intervals. But according to the survey, of the companies with a security awareness program, only 42% use weekly topics and lessons, more than half have a monthly rhythm, and 7% require their employees to complete these lessons only once a year.
Furthermore, only 77% simulate phishing attacks. For the remaining 23%, the programs are based exclusively on lessons or explanations to explain possible phishing emails to their users. This is better than not educating users about how to identify phishing and report phishing attempts, comments training provider Arctic Wolf on the result, but not as effective as the practical approach with simulated phishing emails.
More transparency about security incidents
Another interesting result of the study: When it comes to security incidents, companies have become significantly more transparent. Last year, only 26% of those affected worldwide decided to disclose all or at least some of the information about their incident, but in the current study period two thirds (66%) made this information public. A third (30%) informed only the parties concerned.
According to Arctic Wolf’s Schmerl, the reasons for the increased openness are certainly the documentation and reporting requirements of existing or future stricter cybersecurity guidelines (such as NIS2). At the same time, companies can no longer be sure that attackers will not make the incident public, which can lead to significantly greater reputational damage, explains Schmerl. Nevertheless, this trend can be seen as positive: The cybersecurity community can take more effective measures if it has more information about how attackers operate.
Data exfiltration on the rise
This is especially true as hackers have become more aggressive in recent years and not only encrypt data but also exfiltrate it, according to Arctic Wolf.
Of all the companies that have fallen victim to a ransomware attack in the last twelve months — 45% of those surveyed — the majority (86%) reported that successful data exfiltration was part of the attack. It is therefore not without reason that 51% of companies in the study named ransomware as the biggest concern of IT security managers worldwide.
The solution? “Good ransomware negotiators and a team that supports recovery and damage limitation measures throughout the entire process are crucial to keep the impact of the attacks and the damage as low as possible and to quickly regain business continuity,” says Schmerl.