The culture of risk analysis extends as much to the most technical subjects as to human issues.
Today, 80% of cyber-attacks exploit human vulnerabilities. To meet this unavoidable challenge, the major difficulty for CISOs and their teams is to quantify and assess the cyber risks of their employees. This challenge goes beyond the role of the IS/SSI team, as risk scoring influences corporate security governance at executive level.
The measurement methods often used involve results from phishing tests or training quizzes. Where these methods are lacking is in their ability to assess behavior, or an increase in knowledge. They do not allow us to measure the real risk incurred by managers and employees, by taking into account the attackers' point of view. Above all, they fail to assess the human risk, with all its range of threats: spear-phishing, identity theft, account takeover, bypassing multi-factor authentication (MFA by passing), and so on.
The other challenge for ISS teams in managing employee-related cyber risks is the blind zone represented by their personal uses: social networks, shadow IT, BYOD... This personal sphere escapes the company's protection perimeter, even though it is the preferred attack vector for hackers and a risk amplifier. It is therefore essential to be able to consider employees as a whole, integrating this personal dimension into the assessment of human cyber risks and the deployment of remediation actions.
Last but not least, diagnosing and assessing human cyber risks has the advantage of providing a more concrete and appreciable forum for discussing cybersecurity issues with senior executives, and a real lever for facilitating the work of CIOs/CISOs. Talking to your VIPs about their own protection, while being able to measure their actual level of risk, is a proven way of involving them, both in the remediation of their own exposure and, more broadly, in cybersecurity governance issues.
Generally speaking, a person is defined as being at risk within his or her organization by his or her status – Executive Committee members -, by his or her access rights and mandates. Moreover, even if Executive Committee members should all be de facto protected - according to our latest study, 70% of Executives and senior managers have a high-risk cyber exposure level - it is very useful to be able to base the deployment of protection on a real level of cyber exposure.
One way of assessing a company's real human attack surface is to detect and analyze all human indicators of compromise (IoC-H ANOZR WAY) exposed on the web, including social networks, and leaked on the darkweb. We have defined around 40 types of professional and personal data (credentials, identity data, financial data, health data, hobbies, network of relations, etc.) to be taken into account in human cyber risk management. These IoC-H correspond to the data collected and exploited by hackers in their attack scenarios against managers and employees. This is what feeds our human cyber-risk scoring algorithm.
This scoring assesses cyber risks at both entity and individual levels, making it possible to identify the managers and employees most exposed in the eyes of the attacker. This risk diagnostic takes into account the social engineering methodologies used by cybercriminals, and the range of threats with the highest prevalence: spear-phishing, identity theft, account takeover, bypassing multi-factor authentication (MFA by passing), etc.
As this approach is based on real vulnerabilities exploited by hackers, it goes beyond a simple assessment of human cyber risk to enable us to define a concrete remediation plan. In fact, we have observed an average 68% reduction in the human attack surface and associated risks for our customers.