Individual workers have long been regarded as an easy target for threat actors, representing a prime opportunity to gain access to enterprise IT networks without having to overcome defenses like firewalls.
Compromised accounts have been responsible for some of the most devastating attacks waged against organizations in recent years. The data theft and ransomware attack on Colonial Pipeline in 2021, for example, was directly caused by a compromised account due to poor password security.
Since then, attackers have been ramping up attempts against organizations. As ever, ransomware remains a pervasive threat for many enterprises. Research from Proofpoint’s 2024 State of the Phish study, for example, showed that globally 69% of organizations were infected with ransomware last year.
Threat actors are also employing increasingly sophisticated social engineering techniques such as phishing and business email compromise (BEC) attacks to compromise individual users and further wreak havoc on organizations.
The 2024 State of the Phish study showed that more than 66 million BEC attacks were detected and blocked across the year, highlighting the scale of threats now facing organizations and individual staff.
For several years, BEC attacks have been growing in both scale and intensity and are now ranked among the “costliest threats to organizations globally”, according to Carl Leonard, cybersecurity strategist for EMEA at Proofpoint.
When looking at what’s driving this surge in both attacks and compromised users, Proofpoint research points toward a concerning pervasive culture of “risk taking” among certain workers, which is placing organizations at significant risk.
Proofpoint said that while cyber security-related headlines “often focus on the clever social engineering and zero-day vulnerabilities used by attackers”, a major recurring issue lies at the feet of users.
“Cyber criminals don’t always have to try that hard,” the company said.
The State of the Phish survey showed that 76% of working adults in Europe and the Middle East admitted to “taking a risky action” in 2023. This included reusing or sharing passwords, for example, or clicking on links from unknown senders.
A significant portion were also found to have given credentials to an “untrustworthy source”. Concerningly, 95% of them did so knowing that they were taking a risk.
Ultimately, 58% of users who took risky actions engaged in behaviors that would have placed them at risk of common social engineering tactics.
“People are a key part of any good defense,” the Proofpoint study said. “But they can also be the most vulnerable. They may make mistakes, fall for scams, or simply ignore security best practices”.
Why users take risky actions
There are a range of contributing factors behind why users take risky actions in the workplace, according to Proofpoint, but most commonly it comes down to convenience.
39% of workers polled in Europe and the Middle East said they took risks because it was convenient to do so, while nearly half (41%) revealed they did so to save time.
Workplace pressures were also a factor; nearly one-quarter (24%) said they took risks to meet urgent deadlines while 9% said they did so to meet performance targets.
Lack of clarity over cyber obligations is a key hurdle
Part of the problem is that many users are unsure of their responsibilities with regard to cyber security.
83% of security professionals in Europe and the Middle East told Proofpoint that “most employees know they are responsible for security”. Conversely, 58% of users said they either “weren’t sure” of their responsibilities or claimed that they’re not responsible at all.
Proofpoint warned that this “lack of clarity” on where responsibility lies can have potentially disastrous consequences for enterprises.
This emphasizes the need for a clear-cut strategy around security education for staff across all levels of the enterprise, Proofpoint said. Ensuring that staff are equipped with the tools, expertise, and confidence to operate safely in their daily roles is critical.
What can be done to prevent risky cyber behaviors?
There are several ways organizations can prevent risky behavior among staff and improve overall security resilience, according to Proofpoint. This includes the implementation of robust tools and solutions to remove guesswork for staff alongside ramped up efforts to improve education and awareness.
This kind of initiative can be a pull as much as a push, with staff themselves keen to improve their understanding of cyber security threats, Proofpoint found.
94% of workers in Europe and the Middle East said they wished organizations would “make security easier” for them while 88% requested more training options to improve their understanding of security issues.
Proofpoint recommends organizations take a two-pronged approach to this issue, targeting two specific groups – those who understand security-related responsibilities and those who don’t.
An old dog is doing new tricks, protect your staff from phishing attacks
For those aware of their obligations, IT and security leaders should “provide tools that empower people to be more proactive”.
This includes email reporting tools that enable staff to easily identify suspicious messages. Similarly, "nudging" technologies – such as email warning tags – were found to be a highly effective tool in the hands of security-savvy workers.
From a culture perspective, building a “champions network”, where more knowledgeable members of staff model best practice, also represents a key tactic for organizations aiming to bolster workforce cyber resilience. This helps workers to see tangible, real-world examples of how they should be behaving, Proofpoint said.
For workers on the other side of the knowledge divide, education is key
Users who shirk their security obligations and frequently make risky decisions on this front require personalized advice and information based on their unique roles and circumstances, according to Proofpoint.
Communication, the company said, is critical. As such, IT leaders should emphasize the importance of robust security practices and the potential impact that risky behavior can have on the organization.
In this instance, security solutions can help equip workers with vital tools to help bridge knowledge gaps.
“Advanced solutions can help balance stricter security controls with productivity by reducing the number of threats faced by users,” Proofpoint said.
“For example, deploying an email security solution that is 99.9% effective means that most users will never have to decide how to respond to a suspicious link.
“Finally,” the company continued, “work with business stakeholders and prioritize ease-of-use when implementing security policies. Users will be less inclined to circumvent systems if security aligns with their goals. And they are more likely to use a control if it is intuitive and does not require any training.”
Find out more
Learn more about Proofpoint’s Europe and the Middle East findings in its on demand webinar, 2024 State of the Phish: A year of change in Europe and the Middle East. Information on how to register can be found here.
