There's a contradiction in cybersecurity: humans can be both the weakest link and the strongest. For instance, humans are highly susceptible to deception. This is an age-old problem; look no further than the Trojan Horse of Greek lore or the Ghost Army of World War II. In the latter case, Allied forces created inflatable tanks and faked radio traffic, among other deceptive tactics across Europe, to confuse, distract and divert enemy forces and save lives.
In cybersecurity, we see similar examples all the time. The 2024 Verizon Data Breach Incident Report revealed that 68 percent of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error. However, with proper training (and the right technology), organizations can turn this so-called weakest link into their best defense.
The Power of Deception
Put simply, social engineering is the tactic of manipulating, influencing or deceiving someone to gain control over a computer system or steal sensitive information. It's a way of using psychological manipulation to trick users into making security mistakes or giving away information.
Think of those emails purporting to be from delivery services that include a supposed tracking link for your package that's actually a phishing link. Or a seemingly legit-sounding nonprofit organization sending a link for donations. The list goes on. In the past, there have been certain "tells" to look for to avoid falling victim to these attempts, such as spelling errors, unusual-looking email domains and so forth. But generative AI is quickly helping bad actors overcome some of these giveaways, making it harder for people to recognize these deceptions for what they are.
A History of Cyber Education
To keep up with bad actors, there are some standard educational strategies in cybersecurity that have long been emphasized, with a focus on helping people prevent themselves from getting hacked (and, thereby, the companies they work for).
Much of the common wisdom has focused on tactics like multifactor authentication, strong passwords and phishing training. For instance, you teach employees how to identify whether an email or SMS text is real. Your CEO probably didn't ask you to go get an Apple gift card in the next few minutes so they can save their child's life, for example. But we've seen that, although a great deal of cybersecurity training has been implemented, it's clearly not enough—because it's not working.
It's important to have a twofold strategy that essentially provides stopgaps. This includes methods like DNS filtering so that even if an employee does get tricked, they're less likely to be able to follow through with the action that could lead to a breach. What it really comes down to, however, is the need to essentially train ourselves to harden our own minds.
It needs to go beyond standard training to a more psychological approach, an understanding that behavior is driven by our unique traits as humans. You need to recognize this and see that it creates vulnerability. Success means taking a different approach to training—especially given that, as mentioned above, generative AI is already enabling bad actors to pull off more sophisticated social engineering schemes. Ultimately, this must be incorporated into school curricula, but that's a long way off.
Beginning to Harden Your Workforce
Changing your employees' mindset isn't going to happen overnight, and it's undoubtedly going to be a while before every kindergartener is armed with the tools to recognize phishing links for what they are (or to speak). It's essential to use the tools that are already in place for employees, since many employees don't use password managers, for instance. You need additional elements to protect those employees and, by extension, your enterprise.
The shorter-term solution comes down to tooling. It's about the basics of preventing employees from making a mistake that can have far-reaching consequences. Must-haves include:
- DNS filtering: This tool prevents employees from accessing phishing sites, malware-hosting domains and other harmful content by stopping the connection at the DNS query level.
- Strong password management, including multifactor authentication (MFA): You need passwords that are impossible to guess and vary across different platforms. SMS shouldn't be used for authentication due to its lack of encryption, the possibility of man-in-the-middle attacks and other potential vulnerabilities.
- Email protection: The inbox is today's battleground, and you need software to filter out threats. Today, it's less about malicious attachments and more about malicious email links.
- Identity managers: The bad actors are really after identity, and protecting this area is the bottom line.
- Antivirus/EDR solutions
- Monitoring: Tools like SIEM and SOAR
That said, the above list is just the bare minimum, and most leaders have probably seen similar iterations of this list dozens of times. However, many companies still aren't (or aren't consistently) using them all. Now is the time to catch up and bolster your defenses
Defeating Deception
While humans are fallible and can often be the weakest link, human intellect can also be the advantage in cybersecurity. To use this advantage in the corporate world, employees must receive regular, in-depth training. Cybersecurity is a long-haul proposition; the proper tooling can help in the short term, but that only goes so far. They will get you to the long-term vision of people retraining their brains and always having good cyber hygiene at the forefront of their minds. This combination of tools and training will shift your employees from being the "weakest link" to your strongest defense.
Mikey Pruitt is a global partner evangelist at DNSFilter.
