Tech Can Only Do so Much to Prevent Today's Sophisticated Cyber Attacks

Although we usually celebrate the development of technology and advances in innovation, the increasing sophistication of cyber attacks is nothing to rejoice over.

Cybersecurity measures need to be a step ahead of cyber attacks to have a hope of countering them, but with hackers and cybersecurity tools developing almost in lockstep, tech can’t move fast enough to protect enterprises without human cybersecurity awareness training.

Hackers are also taking a more personalized approach to their attacks, so cybersecurity training has to keep up. Phishing can target individuals rather than just “spray and pray” attacks, using private details from their lives to trigger a response.

Technology can’t pick up on that kind of threat; the only protection is to train the target to recognize the scam.

The Risks Are Rising Behind Your Back

The dangers of phishing attacks are growing all the time. The spike in remote and hybrid work expanded the attack surface as so many people are working outside of the office firewall, and without the constant reminders that come with close proximity to security teams.

According to PWC, 43% of CIOs are worried about the impact of hybrid work on data privacy and cybersecurity, making it their biggest concern.

Breaches are not just more frequent, but as digitalization surges, they are also more costly and dangerous. The information that hackers can gather today is far more significant than that which they could access even a few years ago.

FBI data released in May revealed that over $43 billion has been lost through Business Email Compromise (BEC) attacks since 2016, a category that encompasses phishing and other social engineering methods.

The Ukraine war and China’s rising aggression brought increased use of cyber warfare by political agents, not “only” hackers motivated by greed.

These agents are directly or tacitly enabled by state actors seeking to change the global balance of power, and often have more freedom to operate and better tools than money-minded cyber thieves.

This rise in cyber warfare increased supply chain attacks, making small businesses prime targets alongside utilities and leading corporations. Hackers understand that digitalization means all companies are connected, so they turn their sights on the weakest link in a supply chain.

As the Solarwinds attack forcefully reminded us, successfully hacking into one minor business can open the back door to major organizations.

Human-Directed Attacks Require Human Training

As much as we’d like to think that tech will save us, the rapid advance of hacking capabilities shows that only a human approach is effective. Digital acceleration brought new and more sophisticated cybersecurity tools, but also new and more sophisticated cyber-attacks.

Today, hackers and CIOs/CISOs are locked in a struggle that is too evenly matched.

Hackers are well aware of this parity of abilities, which is why they are deliberately targeting employees.

Human error remains the weak spot for every organization; a report from ThoughtLab noted that over the next two years, security executives expect an increase in attacks from social engineering, which includes phishing.

Unlike other cyber attacks, phishing attacks are aimed at a human, not a firewall or a server, and are designed to play on human fears and hopes. Malicious actors frequently carry out manual research to discover specific triggers for individual targets.

Events like the Ukraine war, rising costs of living, anxieties around the pandemic, and the ongoing impact of long covid give them plenty of new levers to exploit, and cybersecurity tools have no way to block these tactics.

Training needs to focus on educating employees to recognize and resist those same levers.

Thankfully, that training can be highly effective. Research by Hoxhunt showed that threat reporting rates rose as employees completed training sessions with simulations that sharpened their ability to recognize phishing emails, rising from 0% to 65% after just six sessions.

At the same time, fail rates dropped from 14% to 4% on average.

But Human Training Can’t Be Tech-Only

However, while simulation-based training is popular and effective, it often doesn’t go far enough.

As long as phishing training is based on tech alone, simply sending simulations at a predetermined rate won’t be realistic enough to train employees for real-world situations.

It’s vital to ensure that employees understand the strategy involved, rather than simply punishing them for high fail rates. Real phishing is often more compelling than simulations, so if simulations don’t keep up, employees will still fall at the most important hurdle.

Making phishing simulations compelling enough requires more than just tech. Effective training is based on behavioral science, so simulations get harder as employees grow more aware.

They should mirror the level of detail used by hackers, and like phishing emails, be customized according to each individual’s personal profile, including their role, geography, culture, industry, and personality.

This requires understanding each employee’s triggers, cultural resonance, and what makes them likely to click. Hackers invest that level of effort, so you’ll have to as well.

Technology and Human Empathy Need to Work Hand in Hand

It’s clear that successfully working against the growing cybersecurity threat requires employing both tech tools and human understanding.

Only by meeting hackers on their own territory and developing realistic simulations that employ human triggers can you prepare employees to stand up against phishing attacks and protect your company.