Over 99% of cyber-threats require human interaction to work, highlighting the importance of user awareness programs and layered defenses, according to Proofpoint.
The security vendor’s 2019 Human Factor report is based on an 18-month analysis of data the firm collected across its global customer base.
It adds some concrete findings to the general trend observed by many in the industry over the past few years that attackers are increasingly targeting the “weak link” in the cybersecurity chain: corporate employees.
Specific staff members, dubbed "Very Attacked People" (VAPs), are targeted most often — perhaps because they have access to corporate funds or sensitive data, or even because they are easily discoverable by outsiders.
Some 36% of VAPs identified in the report could be found online via corporate websites, social media, publications, and other methods.
To stand the best chance of success, attackers targeting humans typically mimic legitimate email patterns: fewer than 5% are sent at weekends and the biggest number (30%+) come on Mondays.
Education, finance, and advertising/marketing were the most targeted industries, with education having one of the highest average number of VAPs across any vertical, Proofpoint claimed.
In 2018, the sector accounted for the largest number of imposter attacks, along with the engineering and automotive verticals.
Microsoft products and services accounted for nearly one in four phishing attacks in 2018, with messages focused on harvesting user credentials for lateral movement, future attacks and internal phishing.
“Cyber-criminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice president of threat operations for Proofpoint.
“To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users.”