People are central to an organization – and to its cybersecurity and balance sheet.

Based on Proofpoint’s cyber intelligence, social engineering attacks are on the rise – targeting people using newer and more sophisticated methods, especially with the ubiquity of QR codes, mobile applications and the ease of accessing everything on our mobile devices.

Understanding that people in an organization – who are also the users of technology and devices – hold the keys to organizational cyber-resilience is the first step to defending against the fast-evolving cyber-threats we face in Asia Pacific, and can greatly impact our balance sheets today.

CybersecAsia discussed some findings from the 2022 Cost of Insider Threats Report – as well as the impact of people-centric cyber-resilience on the balance sheets – with Ryan Kalember, Executive Vice-President, Cybersecurity Strategy, Proofpoint.

Ryan Kalember, Executive Vice-President, Cybersecurity Strategy, Proofpoint

From Proofpoint’s threat intelligence, what are the most vulnerable points in Asia Pacific in the cyber-attacker’s line of sight?

Our recent 2022 Cost of Insider Threats Global Report revealed that one of the most prominent vulnerabilities in Asia Pacific (APAC) are insider threats, which are present in every organization across every industry. We’ve found that insider threats have increased significantly by 44% from 2020 to 2022, especially as organizations become more digitally and globally interconnected.

Although many organizations assume that malicious insiders are motivated by malicious intent and are the only ones they need to be mindful of, this is not the case. In fact, more than half of these threat incidents (56%) experienced by organizations represented in this research were due to negligence, and the average annual cost to remediate the incident was US$6.6 million.

Credential theft is one area which has almost doubled between 2020 and 2022, costing an average of $804,997 per incident, which is the costliest to remediate. Cyber attackers who focus on credential theft tend to favor social engineering attacks — primarily phishing since it only takes one successful attack to lead to a compromised account – causing major data breaches or ransomware attacks. This is because one of the biggest challenges that organizations still encounter is how to navigate the changes associated with today’s remote and hybrid workforce, since work from anywhere or remote working has enabled data to be accessed from literally anywhere and from any device.

Looking at EY’s Work Reimagined Employee Survey, 85% of employees in Southeast Asia prefer either working from anywhere, remote working, or a mix of in-office and remote working, which means they can easily have a target on their backs if they are not vigilant.

Another area of vulnerability is through a supply chain attack, where breaches can happen at the developer, manufacturer, or end-client level. Some of those most at risk are major software developers and hardware distributors who work alongside vendors to build and ship parts that they use to construct their final products. Because supply chain attacks target these developers and manufacturers outside of organizations’ control, they are often difficult to stop.

According to Proofpoints’ The Human Factor 2021 report, some sectors could be more susceptible than others. Users in the engineering, telecommunications, education, energy, insurance, transportation fields tended to fall for phishing attacks more often. However, just focusing on specific sectors is not the only weak spot that cyber criminals exploit. Attackers were found to target specific departments within organizations, such as facilities and maintenance, quality, and engineering departments which were most likely to fall for phishing attacks.

What are some evolving and new variants of cyber threats that you believe may soon emerge?

According to Proofpoint’s 2022 State of the Phish report, attackers are piggybacking off big tech names like Microsoft, Google, Zoom, and Amazon to launch attacks, with more easily recognizable brands being used as the face of these cyberattacks to earn users’ trust.

Taking the recent OCBC smishing scam in Singapore as an example, where cyber-attackers sent out SMSes through a spoofed identity, bad actors can make their messages look as though they were originated from a legitimate sender.

We also expect targeted phishing attacks to increase. Based on our intelligence, business email compromise (BEC) has seen an increase from 2020 to 2021 globally. This includes payroll redirect and supplier invoicing fraud, which was up 18% compared to the previous year. Furthermore, incidents of spear phishing and whaling, the latter referring to targeting high-ranking individuals in organization, also increased by around 20%.

In APAC, phishing attacks have increased in markets like Japan and Australia. In Japan, 66% of organizations faced successful phishing attacks, an 18% increase from 2020. 92% of organizations in Australia faced an attack in 2021, up 53% from 2020.

Another trend involved telephone-oriented attack delivery (TOAD), which not only saw an uptick in 2021, but also a rise in complexity. Proofpoint data shows that TOADs use a variety of tools, including fraudulent emails as well as call centers. Singapore, for instance, has seen an increase in TOADs.

How should we go about putting in place a people-centric approach to building resilience against cyber-attacks?

The first step is for organizations to understand that the ones being targeted are often not the organization itself, but the people who work for the organization. According to our 2022 Cost of Insider Threats Global Report, 56% of incidents were found to be linked to employee or contractor negligence.

Negligence often occurs when employees forget to ensure devices are secured, when they don’t follow the company’s security policy, or forget to patch and upgrade. This gives rise to more vulnerabilities and increases the risk from attacks.

Organizational risk should also be looked at in terms of people – who was targeted, how often they were targeted, whether these targets have access to critical information and sensitive data, and whether the targets fell victim to the attack. This allows organizations to better mitigate risks by understanding why and how employees were attacked.

From here, they could look at enhancing their cybersecurity strategy and at how re-training might be necessary to help employees update their defense skills.

This is also why companies need to realize that people need to be central to their cybersecurity strategy, and not just invest in security infrastructure alone. Therefore, Proofpoint takes a people-centric approach, and believe in the importance of investing in cyber-awareness training.

What are some practical considerations and steps an organization should take to make cyber-resilience part of its balance sheet and not as an afterthought?

Although it seems like many organizations understand their companies may be susceptible to cyber-attacks, these same organizations often forget that the majority of bad actors typically target vulnerabilities in people rather than infrastructure.

For instance, email remains the top threat actor as this is where the organizations’ most sensitive information is stored, with 65% of those surveyed revealing that employees store data such as personally identifiable information (PII), intellectual property (IP) and other critical business information.

At Proofpoint, we often say that “hackers don’t hack in, they log in”. Organizations therefore need to understand who is most vulnerable, why these people were vulnerable, and what made them susceptible to an attack.

It is not enough that organizations can protect against the attack, because attacks can come in different forms. Instead, steps also need to be taken to ensure employees change their behavior and understand their responsibility in protecting the organization.