Proofpoint, a Sunnyvale-based cybersecurity and compliance company, announced the findings of its annual Human Factor Report findings, which highlight the ways in which cybercriminals target people, rather than systems and infrastructure, to install malware, initiate fraudulent transactions, and steal data.
“Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice president of Threat Operations for Proofpoint. “More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defense.”
Nearly one in four phishing emails sent in 2018 were associated with Microsoft products. 2019 saw a shift towards cloud storage, DocuSign, and Microsoft cloud service phishing in terms of effectiveness. The top phishing lures were focused on credential theft, creating feedback loops that potentially inform future attacks, lateral movement, and internal phishing.
The report says the education, finance, and advertising/marketing verticals topped the industries with the highest average attack severity and risk. Impostor attacks were found to be at their highest levels in the engineering, automotive, and education industries last year, averaging more than 75 attacks per organization. Supply chain complexities were cited as contributing factors to vulnerability. In the first half of 2019, the most highly targeted industries shifted to financial services, manufacturing, education, healthcare, and retail.
To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users. The report is based on an 18-month analysis of data collected across Proofpoint’s global customer base.
The data underscore the need for effective employee training in combatting cyberattacks.