Why Human Vulnerability Matters for Everyone | EP 017
The podcast episode "Why Human Vulnerability Matters for Everyone" from Gone Phishing explains that human error—including mistakes by all individuals, not just security professionals—is involved in 88% of data breaches, emphasizing that cybersecurity risks affect everyone, regardless of company size, because vulnerabilities arise from everyday human interactions with technology and can lead to breaches even without direct targeting.
Why Human Vulnerability Matters for Everyone
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.
Why Should You Care About Human Vulnerability?
You may think that because you’re only an individual or a small company, human vulnerability doesn’t matter to you. However, there are important reasons why it does and why large enterprises aren't the only ones who need to worry about cybersecurity.
The Human Element in Data Breaches
A key reference is Verizon's Data Breach and Investigation Report (DBIR), which is a well-known and debated resource in cybersecurity. The 2022 report states that 88% of data breaches involve the "human element." This doesn't just mean people clicking on phishing emails or giving away credentials. It also includes misconfigured firewalls, poorly implemented security tools, or any mistakes made by humans—whether regular employees or security practitioners. The "human element" encompasses all humans making all types of mistakes, not just those who don't practice security daily.
Humans interface with technology, and as a result, we often become the easiest source for technology misuse. This is why the 88% figure makes sense and why it's important to understand that it's not just about phishing or social engineering, but all forms of human error.
Common Misconceptions: "I'm Too Small to Be Targeted"
Many believe their business is too small to worry about cybersecurity or that they are too insignificant to be hacked or breached. The reality is, you don't even need to be specifically targeted to become a victim. For example, you could be swept up in a larger data breach involving a service or company you use, and your accounts could be leaked and misused.
Whether you are an individual, a small business, or a large business, you can be affected by breaches that originate from tools, services, or companies you rely on. While it may be true that smaller entities are less likely to be directly targeted, the interconnected nature of today's world means you can still become a victim. It's important to shift from an "if I get breached" to a "when I get breached" mindset, especially for businesses. Being unprepared for a breach is one of the worst scenarios, so it's crucial to have plans and safeguards in place.
Cybercrime as an Inefficiency of Capitalism
Cybercrime can be seen as an inefficiency in capitalism. There are companies, sometimes funded by foreign governments, whose sole purpose is to steal money from organizations in other countries. If these entities can spend $1 to steal $10, it's more profitable than providing a legitimate good or service. In some regions, lack of legal repercussions or government support for such activities makes cybercrime even more attractive.
This inefficiency affects everyone. Theft increases the cost of doing business, and those costs are often passed on to consumers. For example, the existence and high cost of cyber insurance is a direct result of the financial impact of cybercrime. Companies must budget for cyber insurance to mitigate risks like ransomware or breaches, and these costs ultimately affect the end user.
The Impact of Social Engineering
Social engineering is the act of impersonating another person or organization to deceive someone into giving up money, access, or information. The most common form is phishing, where emails are sent pretending to be from trusted sources. Social engineering is a major contributor to cybercrime, and since humans are involved in 88% of incidents, improving our ability to detect and prevent social engineering could significantly reduce the cost and impact of cybercrime.
A world where social engineering is no longer profitable would mean lower costs for goods and services, more businesses, and better offerings for more people. While this may seem idealistic, it's a goal worth striving for by improving education and awareness around human vulnerability.
Looking Ahead
Future episodes will delve deeper into why human vulnerability is so difficult to address and the nuances involved in teaching people to recognize and prevent threats. The goal is to help individuals and organizations better protect themselves and reduce the impact of cybercrime.
Thank you for tuning in to Gone Phishing. For more information about high-quality security awareness training campaigns and how to engage employees to change their habits, visit Phin Security at phinsec.io.