As far as initial hacking attempts are concerned, social engineering and phishing attacks result in 70-90% of all successful cyber attacks.

This is a fact we’ve known for a long time ever since the advent of networked computers, the first one which came out in 1969.

Fast-forward to 2024, and it’s alarming that this common method of gaining access to sensitive information and committing financial fraud is not a priority area for most organizations.

Most firms don’t even feel like spending a miniscule 3% of their IT security budget on how to fight against phishing and social engineering.

Which brings us to the problem:

There are not enough resources aligned and allocated against the number 1 reason people and devices keep falling prey to hackers, malware, ransomware and other malicious cyber threats.

The more things change the more they remain the same.

Our approach against social engineering needs a rethink

Technology has progressed by leaps and bounds. We’re being told about the million ways our computers and other connected devices can be broken into. We’re also being told that we ought to prevent everything. All at once.

Firms are being told they need to check a couple of boxes to be in the green with cybersecurity compliance regulations, which means having hundreds of controls to deploy and monitor. Failure to do so means fines.

Yet, despite all the heuristic anti-virus features, upgraded network security protocols, and software patches in the world, malignant actors keep one-upping us.

The reason is simple: We need to focus on the number one reason these attacks happen—social engineering.

We need to understand the human aspect of being hacked. And we need that to be our primary focus. 

The kicker? It gets worse.

It could be simple if the problem were only occurring at the individual or organizational level. Unfortunately, even national cybersecurity organizations whose primary job is to protect you against digital threats are guilty of focusing on the wrong problems. This is a global systemic problem.

Let us use a simple example to explain the problem.

Imagine a town plagued by a rampant outbreak of food poisoning. Every week, numerous people fall ill after dining at various restaurants across the town. Investigations consistently reveal that the root cause of the illnesses is contaminated food served at these establishments, with ingredients being sourced from one specific farm. Despite this clear pattern, the town's health department decides to focus all its efforts on improving sanitation practices in the kitchens of the restaurants.

Meanwhile, the problem persists, with more and more people falling sick. Frustrated residents gather for a town hall meeting to address the ongoing health crisis. Experts from the health department present their findings, confirming that contaminated food is indeed the primary cause of the illnesses. They further reveal that this pattern extends beyond their town and is a widespread issue in the entire country, even globally.

Despite this acknowledgment, the proposed solution remains the same: enforcing stricter sanitation regulations in restaurant kitchens. Residents leave the meeting feeling bewildered and frustrated, wondering why the authorities are not taking decisive action to address the root cause of the problem i.e. the farm produce.

In this analogy, the town's health crisis represents the cybersecurity landscape, with the recurring food poisoning incidents symbolizing cyber attacks. Just as the health department focuses on kitchen sanitation instead of contaminated food originating from a particular farm, cybersecurity organizations often prioritize secondary measures over addressing the primary vectors of cybercrime like social engineering and phishing.

Throughout 2023, the Phobos ransomware continued to make headlines. A threat so serious that organizations like the Federal Bureau of Investigation (FBI) and Cybersecurity Infrastructure Agency (CISA) came out with a joint security bulletin about it.

This warning by two legit security agencies lists three main actions that network defenders should take to contain and minimize the risks posed by Phobos ransomware:

First, these are good tips and need to be implemented. The joint warning bulletin also discusses in depth the multiple ways the Phobos ransomware can enter the victim's environment.

The report also suggests repeatedly that social engineering and phishing are one of the primary attack methods used to propagate this ransomware:

It even lists phishing as one of the “Initial Access” attack techniques:

Indeed, phishing and spear phishing in particular remain the top methods of breaking into an environment. It is very rare to see anything other than phishing as the top reason behind a cybersecurity breach.

Spear phishing, which targets specific individuals, can do a lot of damage. A recent report states that despite accounting for just 0.1% of all email attacks, spear phishing was responsible for a whopping 66% of data breaches! Talk about having a small grasp yet a bigger reach.

Generally, social engineering is behind 70-90% of cyber attacks of all types. For ransomware specifically, social engineering is cited as the root cause behind 40-50% of cyber attacks. Another common reason why ransomware happens is due to the attacker using stolen credentials.

If you had to guess, how were those passwords stolen? Through social engineering of course. In 2023, 79% of credential thefts happened due to phishing.

The reason why we keep stressing social engineering as the top threat organizations need to combat is that it is usually the primary instigator behind most cybersecurity incidents.

Coming back to the CISA/FBI bulletin, the report's top three recommended mitigations do not mention the importance of combating social engineering tactics. In fact, CISA briefly tells readers to defend against social engineering and phishing attacks with a rather subdued focus.

The number one way those data breaches happen? Through the human element. And yet cybersecurity bodies continue to espouse other technical shortcomings to address the threats rather than focusing on inculcating security-centric mindsets through regular yet engaging security awareness training.

This is the problem in a nutshell - putting the horse before the cybersecurity cart.

A change in approach is sorely needed. Instead of mentioning how to defeat phishing attacks at the end of the report, all cybersecurity bulletins need to prioritize addressing individual behavior and the role of cybersecurity awareness training in minimizing human error.

The CISA report mentions mitigation measures to defeat phishing as the 13th amongst 20 controls. How to defeat phishing and social engineering tactics needs to be the top 3 controls - the best way to prevent threats like Phobos is to nip them in the cyberspace bud with the right training.

In short, our primary focus needs to be on recognizing and preventing social engineering and phishing. Security bodies and organizations need to rely more on training people than on patching hardware or software-based loopholes.

Because hey, all it takes is that one unsuspecting email, and all hell breaks lose.

After all, the issue of contaminated food can’t be solved by focusing on sanitation efforts. It can be resolved by checking the produce sourced from farms.

Also, security awareness training does not have to be dull and boring. Check out Cytadel, our gamified security awareness training platform to discover what we're talking about.