It was the most significant breach ever reported, but its origins were not uncommon. The 2024 Change Healthcare ransomware attack, which affected 190 million individuals and came with a price tag of $2.6 billion (and counting), started with an unauthorized intrusion.
We spend billions of dollars annually on the best cybersecurity equipment innovated to date, but more and more, attackers are skating around our best defenses and compromising the one thing enterprises can’t control; human impulses.
People Security Management is a vastly undervalued area in cybersecurity today, and the lack of attention is alarming. Between 80-90% of all compromises start by tricking a human into a bad click, a malicious download, a faulty transaction. Most enterprise security stacks keep human risk management on the back burner.
It's time to change the paradigm. That begins with changing some core misconceptions.
Misconception #1: Security Controls Are Enough
The cybersecurity industry has done a great job of making impenetrable, advanced solutions that can best attackers’ best moves. In response, attackers have been avoiding them at all costs.
We are seeing more human-targeted attacks: look at the most lucrative attack method, per the latest FBI IC3 reporting on it: BEC by a landslide. It caused over $2.7 billion in losses, a staggering 224 times the amount caused by ransomware, and yet we are probably spending at least 224 times more on sophisticated ransomware defense than we are training people not to fall for BEC scams.
Do high-powered, high-tech solutions have a place in today’s stacks? Of course. Take them out and see what happens: but high-powered, human-centric security management does, too.
Misconception #2: One-and-Done Training Is Enough
Anyone who’s ever trained a new hire knows that repetition is the true parent of learning. One-off security awareness training doesn’t work, and there are two reasons.
One is that people forget things. According to the forgetting curve, people forget about 50% of what they see and hear right off the bat, and that number goes up with time.
Two, the threat landscape never stays stagnant. New exploits are constantly emerging, attackers are always innovating, and there are always new ways the attack surface is expanding. Training that covered mobile threats five years ago wouldn’t have prepared teams for QR code threats just a year later.
Now that AI is firmly in the landscape, things change every few months – or weeks.
Misconception #3: People Understand Why Training Is Important
Unless they’re a cybersecurity expert, most non-IT or technical users are not going to understand – really understand – the value of what they’re being asked to do when security awareness training time comes around.
Typically, they get a (nuisance) email in their inbox telling them they have 30 days to take this mandatory security training, or else. That’s never a good start.
Security leaders are knee-deep in this stuff all day, and it’s a no-brainer to us why our people should learn to spot phishing emails, BEC scams, AI-based transfer frauds, and the like. But to someone in HR, sales, or R&D, it may seem like simply a compliance thing the company is doing to avoid getting audited.
The unfortunate truth is that many companies take that approach, and it’s a shame because up to 9 out of 10 attacks originate when people engage in sloppy security practices. If we told them that up front and honored them with the why, they would be likelier to do the what.
People generally have an intrinsic desire to contribute to the common good, and company loyalty has a part to play. When you tell them their efforts are essential to the solution (and that there’s a big problem called social engineering), most will want to help out.
Misconception #4: We Have to Hide When Something Goes Wrong
There’s a difference between calling out the mistake and the person who made it. The second is unnecessary, but managers should not be afraid to call out when a social engineering scam has seen success within the company.
Instead of a time for blame, it’s a time to learn and ask questions collectively. If you see something, say something. And nothing makes it hit home like a real-world incident that has spread around the company; without naming names, of course.
This opens up the dialogue. How do we set ourselves up for success? How do we create a culture where these things are okay to talk about? Because every time an employee spots a phishing email and submits it to their Security Operations Center for analysis, that's a win.
Misconception #5: Attackers Only Target the High-Value Items
We have a tendency to think cyberattacks are going on “over there,” targeting state secrets and super high-profile stuff our enterprises lock away in their vaults. But the reality is they go after credentials.
This is one of the most common forms of attack, and one that every employee can defend against. Attackers try to scoop up as many sets of user credentials as possible (for banks, finserv apps, retail stores) and then monetize them on the dark web. This is how a lot of bigger breaches start, and employees don’t know that.
We need to make them aware. Attackers know there’s only so much we can do to stop a person clicking on an email from “Microsoft” from the privacy of their own inbox, so the best advice we can give them is to slow down.
Where to Start
The best advice I can give on improving People Security Management is to dig back to basics. Companies need to start where they are; before anything else, they have access to their employees.
Tell them to slow down. Read your messages, emails, and text messages slowly. Hover over your links, and get to the fundamentals. Just doing the fundamental things dramatically improves your probability of success and safety.
Back them up with the right email security. Obviously, users can’t do it alone. Companies need to invest in modern email security tools that can spot things like phishing and BEC scams, and that typically relies on AI.
Invest in Human Risk Training. Common sense aside, there are just some things users need to be told. Attackers are sneaky. It’s a full-time job to keep up with everything they’re trying to do, and there’s no way your employees will know those things without being told.
Also, familiarity helps. Employees need to become familiar with the look and smell of scams. They need to understand what they present to better prepare them for the attack. We need to remove that element of surprise.
Final Thoughts
Users, not systems, have become attackers’ favorite targets, and with the help of AI, they’re just getting better at what they do. If we as security leaders don’t parry that blow with improved Human Risk Management, we’re just giving attackers an uncontested lead.
We must use every tool: security awareness training, a safe security culture, advanced email solutions, and solid security controls. But we also have to give them the ability to take time for security and know they won’t pay for it later.
We must make it safe to see, spot, report, and wait.
The very best tools are a working brain and good instincts. If something doesn't look right, don't click it. Instead, send it to somebody on your security team and hold tight while they take a look.
The world will wait while that message is being analyzed.
