Lessons from the Human Risk Summit with Chris Novak and Perry Carpenter

Egress | 8th Nov 2023

Following the release of the Phishing Threat Trends Report, we recently hosted the Human Risk Summit, a coming together of some of the biggest names in the industry to discuss the human element and the role it plays in cybersecurity.

In this post, we’ll recap some of the themes, statistics, and insights from two of our speakers – Chris Novak of Verizon and Perry Carpenter from KnowBe4.

“A united front to secure the human element”

Chris Novak, Managing Director at Verizon Data Security & Cybersecurity Advisor to the White House

According to Chris, data breaches were somewhat of a taboo in 2008 when his company Verizon published the first Data Breach Investigation Report (DBIR). Nobody wanted to admit to a data breach and some companies even threatened Verizon with legal action after assuming they were one of the anonymous businesses mentioned in the report.

Chris spoke of his hopes that the DBIR would be used for change and that the only way to stay ahead of cybercriminals is to collaborate with other cybersecurity industry stakeholders. Staying ahead is the name of the game and that can only be achieved if we share information, tactics, and strategies.

In 2023, 74% of data breaches involved the human element. The ‘human element’ refers to a multitude of things. These include simple human error, insider threats, negligence, and privileged misuse.

Insider threats once accounted for under 10% of data breaches and now, in 2023, they account for 20%. One in five data breaches today are caused by an insider threat. Employees are targeted by hackers because they’re easy to find, the path to reward is fast, and the victim often doesn’t even know they’ve been compromised.

Chris rationales that the cause of insider threats is due to six main reasons:

  • Job changes after the pandemic (The Great Resignation) - Newer employees will have less dedication to a business that they have no history with.
  • Employee-employer affinity – Disconnected employees are more likely to pose insider threats.
  • Animosity – Businesses could have forced their workers back into the office and this caused unhappiness in the workforce which then led to a hostile relationship.
  • Greater financial struggles – The global economy suffered post-pandemic and if companies did not offer pay increases in keeping with the rising cost of living, employees may feel that they have no choice but to look for alternative sources of income.
  • Privacy of working from home – Working from home can present employees with an opportunity to ignore company policy or, in some cases, commit data crimes with a far lower probability of being discovered.
  • Overwhelming company supervision – Employers that hover over their employees may cause greater job dissatisfaction and unhappiness. This can then increase the chances of employees being willing to share company data.

Chris then moved away from malicious insider threats and switched to an equally common problem: accidental compromise and phishing emails. Some of the biggest breaches that Chris has ever worked on started with an employee accidentally clicking on a malicious link, typically in an email. One of the greatest weapons that cybercriminals use is social engineering.

According to Chris, social engineering is one of the greatest cybersecurity threats the industry faces today. Attacks are getting more sophisticated. Cybercriminals are generally financially motivated. Cause-driven groups are often more determined.

The most common forms of social engineering attacks are pretexting and phishing. Pretexting is more common in a business email compromise context. We see examples of this when a cybercriminal pretends to be someone else in your business and issues time-sensitive requests, like urgent payments or impending fines.

Where there isn’t a vulnerable system, there is always a vulnerable human.”

Chris Novak

In contrast, phishing is when a cybercriminal attempts to trick an email recipient into clicking on a link or executing an attachment where there is some form of malicious payload. Chris explains that both pretexting and phishing are exceptionally common and act as a foothold, an entry point.

Business email compromise is a faster ‘path to cash’ or ‘speed to monetization’ than an attack on a private individual, which could take weeks or months to monetize, if ever. These threat actors only need to be successful once and so we often see them going after the “lowest common denominator” as opposed to a cybersecurity expert within the target company.

Human nature can sometimes undo security training. Humans favor speed and ease of use over safety when they become complacent. For example, employees might skip two-factor verification, even if asked to avoid this practice.

Chris ended on a hopeful note. While 74% of data breaches in 2023 involved the human element in either a causal or contributory way, this number was at 82% in 2022. We are seeing positive change and ultimately, the industry is successfully training individuals to become cybersecure and aware.

Key statistics:

  • In 2023, 74% of data breaches involved the human element.
  • In 2022, 82% of breaches involved the human element.
  • 20% of data breach incidents came from insider threats in 2023.

Watch the full "A united front to secure the human element" recording. 

“The mind’s lie: How to respond to employees’ thoughts and actions being hacked”

Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4
Jack Chapman, VP of Threat Intelligence at Egress Software Technologies

We’re all hardwired to be deceived, but how does this translate in cybercrime? This is the basis of the discussion between Perry Carpenter and Jack Chapman.

Perry introduces the idea of ‘change blindness’ with a simple card trick, except it is not so simple after all. Instead of removing one card, he changes the whole deck and in doing so, highlights how easy it is to force people into a certain thinking pattern.

Cybercriminals often create a sense of urgency in their emails to force the recipient into a panicked thinking pattern which will (hopefully, for the hacker) increase the chances that the recipient will click the link or open the attachment – whatever the malicious payload might be.

System 1 versus System 2 thinking is the classic battle of emotion versus reason. System 1 thinking means you’re leading with your emotions. System 2 is more methodical, deeper thinking where better decisions are made. Both Perry and Jack advise taking a step away from an email if it’s causing stress and anxiety. That added break may help you avoid a security incident.

Emotion-driven thinking governs 95% of our daily lives. This presents hackers with the perfect opportunity to exploit this emotion-driven mode of thinking. They want to spark an emotional reaction as they know it’s less logical and therefore the intended target is more likely to fall for their tricks.

Cybercriminals have stepped up their reconnaissance processes to the point that they’re now using out of office replies, posts on your personal social media channels, and knowledge of your company’s hierarchy. This allows them to personalize phishing emails and make them look even more authentic.

I think we have to give the attackers credit for understanding human behavior and ... say ‘nicely done’ now how do we defend against that?”

Perry Carpenter

Payloadless attacks are on the rise. These can be described as “true social engineering attacks.”. The entire aim of these emails is to encourage someone to send information or do something that furthers an attacker’s goals. This strategy bypasses traditional security defenses. Employees are told to look for bad spelling and outlandish stories and be suspicious of emails with links and attachments. Hackers are using this knowledge to circumnavigate those warning markers to avoid detection.

Links within attachments are a new strategy for cybercriminals. It plays on psychological dissidence between the training that employees receive, and the tactics used by the attackers. Cybercriminals are familiar with the concepts taught in corporate cybersafety training and the use this information to inform their criminal tactics. Links within attachments are a level removed from traditional detection technologies, making them harder to detect. A common technique now is to place a link to a trusted source like a Dropbox or a Google Drive folder (which then contains malware) in an attachment.

The reality of hackers is vastly different to the images portrayed in the media and the stereotypes we have built on the back of them. Instead of being disgruntled teenagers, these crime syndicates operate like a corporate business with hierarchy, targets, and bonus structures.

Every human being has risk blind spots. We are constantly making risk assessments and our state of mind massively influences the decisions we make. Sometimes the strategies that cybercriminals have developed derail our thinking and that is where data breaches and successful phishing attacks occur.

The best way to manage cybersecurity is to meet people at the point of risk. To stay ahead of cyber criminals, we all need to collaborate with other people and businesses in the cybersecurity space.

Key takeaways:

  • 2023 saw a rise in phishing emails originating from compromised email addresses.
  • Links within attachments are a new attack technique for cybercriminals.
  • Folders in trusted file sharing sources are not always trustworthy.
  • Payloadless attacks are on the rise. This shift is the true meaning of ‘social engineering’ attacks.
  • Focus on cybersecurity providers that integrate with other providers that your business uses.
  • Meet people at the point of risk and help guide them into making better decisions. The color-coded banners from Egress Defend are a good example of this.

What the full "The mind's lie: How to respond to employees' thoughts and actions being hacked" recording.