The human factor: the cornerstone in cybersecurity

Human vulnerabilities are often the primary entry point for hackers. From an attacker’s perspective, the wealth of information available on the web and dark web is a goldmine for learning more about their targets. However, individuals have the power to reverse this dynamic. By adopting best practices and reducing their digital footprint, everyone can become a key player in their own protection, making it significantly harder for hackers to succeed.

According to the annual CESIN (French Club of Information Security and Digital Experts) – OpinionWay barometer, 49% of French companies acknowledged experiencing at least one significant cyberattack in 2023. Yet, 90% of these attacks (France Num) involved the human factor, which remains the main target for social engineering attacks such as phishing, identity theft, and account compromise. It is therefore essential to implement specific solutions to mitigate human cyber risks and shield organizations from increasingly sophisticated and devastating cyberattacks.

Cybersecurity: What is “Human Cyber Risk”?

Human cyber risk refers to the behaviors or errors of users that could compromise the cybersecurity of an organization. This risk can arise either intentionally or accidentally.

Types of Risky Behaviors

Risky behaviors are often unintentional, where an employee is deceived into falling into traps set by hackers. Social engineering attacks such as phishing and identity theft exemplify this. For instance, during a phishing attack, it typically takes just 60 seconds between the moment the email is opened, and the fraudulent link is clicked. Alarmingly, in 80% of cases, phishing attempts are not reported by employees. Additionally, the rise of deepfake technology has significantly increased manipulation techniques, adding a new layer of risk.

Sometimes, human risks stem from voluntary but negligent actions, such as:

• Failing to comply with company security policies.
• Using company-provided IT equipment for personal purposes (and vice versa).
• Using weak or repeated passwords across multiple accounts.
• Sharing sensitive information publicly on social media (e.g., personal details, photos, friend/family lists).

The Rise in Human Cyber Risk

Several factors are contributing to the rise in human cyber risk, including:

• The growing amount of personal data available due to widespread social media usage.
• The advancement of OSINT (Open-Source Intelligence) techniques used by attackers.
• Increased remote work, blurring the lines between personal and professional use of IT equipment.
• The rise of deepfake technologies.
• Large-scale attacks targeting public and private organizations to harvest personal data for phishing campaigns.

Social Engineering Attacks

Social engineering attacks rely entirely on exploiting the human factor, making them particularly insidious and effective. Their goal is to deceive users or bypass their vigilance to steal sensitive company data, misappropriate funds, or launch further attacks.

Types of Social Engineering Attacks

Social engineering exploits personal data of employees gathered by attackers. Using OSINT tools and data leaks on the dark web, attackers often need only an email address (personal or professional) to trace a target. Personal data accounts for 70% of stolen information globally, facilitating various types of attacks:

• Phishing
  Fake emails that appear to come from trusted sources, urging recipients to open infected attachments or share sensitive information. In 2023, phishing affected 60% of French companies.
  
  
• Spear-phishing
   A more targeted form of phishing, using personalized messages based on information found online.
  
  
• Smishing/Vishing
  Variants of phishing using SMS (smishing) or voice calls (vishing), often posing as support agents or technicians.
  
  
• Identity Theft
  Compromised email accounts used to send fraudulent messages impersonating the victim. Advanced deepfake technologies amplify these risks, including scams like “CEO fraud.”
  
  
• Data Extortion
  Cybercriminals exploit compromising information or threaten to release fake information to damage a company’s reputation, extorting sensitive data or infiltrating networks.

Common Techniques in Social Engineering

• Urgency: Pressuring victims to act quickly without reflection, citing imminent threats or opportunities.
• Authority: Impersonating figures of authority (e.g., executives, law enforcement) to appear credible.
• Empathy: Exploiting compassion by pretending to be in distress or a colleague in need.
• Curiosity: Leveraging intrigue with mysterious or enticing messages.
• Flattery: Using compliments to lower suspicion and build trust.

Essential Measures to Mitigate Human Cyber Risk

Training Employees

Employee training is a cornerstone of effective cybersecurity strategies. Awareness and education foster vigilance, helping employees recognize and respond to potential threats.
However, attackers remain highly adaptive, constantly evolving their techniques with advancing technologies. Continuous monitoring and regular updates to training programs are critical to ensuring employees remain vigilant. Empowering employees to become strong links in the security chain makes them harder targets, ultimately strengthening the organization’s defenses.

Proactive Threat Detection and Digital Footprint Management

Every individual’s online activity leaves traces, collectively known as their digital footprint. For hackers, this footprint represents the attack surface of their targets. Detecting and managing risky information (e.g., passwords, email addresses, phone numbers) is vital to reducing exposure.

Preventing Risky Behaviors

Risky behaviors, such as Shadow IT (installing unauthorized software), also need to be identified and addressed. Shadow IT alone accounts for 35% of security incidents.

While malicious insider threats are rare, most internal risks arise from a lack of awareness. Tools that non-intrusively evaluate internal threats and risky behaviors are essential for taking timely protective and corrective measures.