Over a decade ago, I noticed that social engineering was the primary cause for all malicious hacking.
It has been that way since the beginning of computers, but it took me about half of my 36-year career to realize it.
At the time, I think everyone in cybersecurity knew social engineering was a big part of why hackers and their malware programs were so successful, but no one really knew how big.
Few cybersecurity professionals would tell you it was the number one problem, and no one was saying that no other single root cause was even close, even though it was true. In fact, you could add all the other possible causes of successful hacking together and they do not come close to the impact that social engineering has on data breaches.
But back then, I started to analyze the data. Data from my very large employer at the time, Microsoft. Data from other cybersecurity giants. Data from antivirus companies. Data from every cybersecurity report I could get my hands on. Data from public clearinghouses. And from that analyzed data, I could see that social engineering was involved in 70% - 90% of all successful hacking. Anyone giving you a lower stat is not using the correct classification taxonomy (another issue for another day) or is leaving out a huge population of victims, like people at home.
At Microsoft, I suddenly realized that no matter what crazy, expensive, sophisticated system we put in for our customers, they still ALL got hacked because of social engineering (and to a smaller extent, unpatched software). I wrote a Microsoft whitepaper on this in 2015. By 2018, it morphed into the first edition of my best-selling book, A Data-Driven Computer Defense.
Eventually, over time, partly because I was writing about it so much, it became common knowledge that social engineering was the biggest problem in cybersecurity. Today, no one questions that social engineering is the biggest problem by far. But it was not always common knowledge.
I thought that everyone realizing that social engineering was the biggest problem by far would lead to a massive focus on it as the main threat and everyone’s cybersecurity budgets would reflect that fact. But it never happened.
Companies continue to focus on a hundred different threats with social engineering not getting a lot of attention…even within Microsoft. Eventually, I got so depressed being paid to put in expensive systems (e.g., PKI, MFA, IDS, etc.) that were not going to work, as well as fighting social engineering, that I quit Microsoft and joined KnowBe4 (over six years ago). I have not regretted the move. I feel like I am making the best difference I can make in helping to make the cyber world safer.
But over six years later, here is my biggest question: If social engineering is involved in 70% - 90% of cyber attacks, and it is, why doesn’t the world act that way?
What I mean is that we have identified the number one problem in cybersecurity…that of human risk management…and almost every organization still treats it like just a small part of a much larger problem. It is the largest problem by itself.
The average organization only does security awareness training once a year (some do not even do that). They may or may not do simulated phishing tests. Less than 5% of its IT/IT security budget will be spent trying to aggressively decrease human risk.
Human risk is 70% - 90% of the problem, but we do not give it even 5% of the focus!
And it has always been that way. It will likely be that way next year…and the years after.
It does not make sense.
The very best human risk management practitioners do security awareness training about once a month and do simulated phishing tests about once a week. If you do that, we will consider you to be among the best practitioners in reducing human risk management. Managing human risk is more than training and testing, but it is a big part of that.
But I am amazed at all the pushback human risk managers get in trying to better protect their organizations. Management and end users will complain about too much training and too many phishing tests. Some will argue that none of it helps at all. This is not true. We have a lot of data to prove otherwise.
I have people ask me all time, how can I get senior management buy-in to a serious human-risk management program? I am always amazed at the question. Has management not heard of ransomware and Change Healthcare’s really bad year? Change Healthcare’s breach was tied back to compromised credentials (which are almost always compromised by social engineering or weak passwords). It would have been prevented by using phishing-resistant MFA and good human risk management, like most data breaches.
I am aware of companies that do not do any cybersecurity training at all or no training or simulated phishing to large swaths of their end-user base. When human risk managers do training and testing, there is often a lot of complaining and friction. It is like a child complaining to their parents why they have to look both ways when crossing the street. It is for your own good…and the organization’s resiliency.
I do not understand why there is not a greater focus on reducing human risk until it becomes a secondary problem. Why would you concentrate on something else more unless it had greater risk and more potential impact? Would you not concentrate on reducing human risk the most until it was not the biggest issue anymore? Instead, we treat it as just one of the many things we must do, often giving more focus and resources to other things that will not decrease risk as well.
The hard truth of whether or not your organization does or does not get hacked in a particular time period likely depends on how well you do or do not do in managing human risk (and patching your software and firmware). If you do not do those two things well, the rest doesn't really matter.
Ask yourself these three questions.
Does senior leadership know that social engineering is 70% - 90% of the reason why most organizations are hacked? Does senior management know that most ransomware and data breaches are due to human risk problems?
If they know, are they allocating resources to mitigate it as if it were 70% - 90% of the problem?
Do your end users know that social engineering is 70% -90% of the problem and whether or not your company becomes the next ransomware victim or public data breach depends on how well they and your entire organization does fight social engineering?
If not, why not?
Because from where I am sitting, looking at over three decades of social engineering being the biggest problem, I do not see why it is not getting the largest allocation of cybersecurity resources and focus.
It is like getting told that your car needs new brakes and you respond by replacing the tires and windshield wipers and wonder why you crashed.
Your organization probably does not need to spend 70% - 90% of its cybersecurity budget on human risk management, but it probably should spend more than 5%. When someone complains about the training they have to take or all the simulated phishing tests sent their way, you need to explain how there is nothing more important to the company’s cybersecurity defenses and health than those things.
I have been in the cybersecurity industry for over 36 years. Now, today, everyone knows that social engineering is the number one threat, by far, for data breaches and ransomware. Why do we not act like it?
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
