99% of cyber attacks require humans to click

By Dylan Bushell-Embling
Tuesday, 10 September, 2019

Validating the long-held belief that the human factor is the weak link in cybersecurity, new research from Proofpoint indicates that 99% of cyber attacks require an action like a click or download from the victim to be successful.

An analysis of 18 months of threat data collected from across Proofpoint’s global customer base finds that cybercriminals are targeting people rather than systems, using a variety of social engineering techniques.

More than 99% of threats analysed for the research required human interaction such as enabling a macro, opening a file, following a link or opening a document.

People-centric threats often target individual people within an organisation. These people are not necessarily traditional VIPs, but are what Proofpoint calls “Very Attacked People”, who are often located deep within an organisation.

The research found that 36% of these VAPs’ identities could be found online through corporate websites, social media, publications and other sources.

Email is a common attack vector for cybercriminals. The research found that the education, finance and marketing sectors topped the list of industry verticals most at risk of email attacks.

But in 2018, impostor attacks were at their highest levels in the engineering, automotive and education industries.

To evade detection, attackers often use email patterns that closely mirror legitimate organisational email traffic patterns. The research found that less than 5% of impostor messages were delivered on weekends, with over 30% delivered on Mondays.

“Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Proofpoint VP of Threat Operations Kevin Epstein.

“To significantly reduce risk, organisations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defences that provide visibility into their most attacked users.”

Image credit: ©stock.adobe.com/au/tippapatt

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.