PROTECTING PEOPLE -
THE SIGNIFICANCE OF HUMAN-CENTRIC CYBERSECURITY

IN ITS LATEST REPORT, LEADERSHIP VISION FOR 2024: SECURITY AND RISK MANAGEMENT⁽¹⁾, GARTNER® STATED THAT “SECURITY AND RISK MANAGEMENT LEADERS MUST PIVOT TO A HUMAN-CENTRIC CYBERSECURITY STRATEGY”.

RYAN KALEMBER
Chief Strategy Officer, Proofpoint

IN ITS LATEST REPORT, LEADERSHIP VISION FOR 2024: SECURITY AND RISK MANAGEMENT⁽¹⁾, GARTNER® STATED THAT “SECURITY AND RISK MANAGEMENT LEADERS MUST PIVOT TO A HUMAN-CENTRIC CYBERSECURITY STRATEGY”.

RYAN KALEMBER
Chief Strategy Officer, Proofpoint

We believe this strategic imperative perfectly aligns with our long-standing and proven approach to cybersecurity.

The industry is highlighting the integral role that our people play in successful cyber attacks and placing them at the heart of effective cyber defence. Shining a brighter spotlight on human risk can only be a good thing. That said, the question remains – why has this come to light now?

The short answer is that the evidence is overwhelming. Almost three-quarters of all data breaches involve a human element. And it’s not hard to understand why.

In their Leadership Vision for 2024: Security and Risk Management⁽¹⁾, Gartner states that “67% of people use the same passwords for multiple accounts", "65% open emails from unknown sources on work devices”, and "61% send sensitive information via unencrypted email". Worse still, "93% acknowledged these actions would increase risk to the enterprise”.

Our 2024 State of the Phish report surveyed 7,500 users and found 71% of users took risky actions and 96% of these people knew they were doing something risky.

Additionally, 85% of security professionals said that most employees know they are responsible for security, but 59% of users claimed they weren’t responsible at all.

This evidence proves that, in this environment, human-centric security is less of a strategic choice and more of a necessity.

Understanding human-centric risk

By now, most will understand human-centric risk as a concept. Put simply, it is the risk posed to your organization by your people. But what does that mean in practice?

Phishing may be the first thing that springs to mind, with good reason. It’s long been a go-to for cybercriminals looking to lure their way inside our organizations. But while it remains both popular and highly effective, it is far from the only human-centric issue.

The risks to people are everywhere – from the use of stolen credentials and privilege abuse to malware, ransomware, business email compromise and plenty of other common cyber threats. We can group these risks into four dimensions of human risk to get a clearer picture of the threat landscape we currently face.

The four dimensions of human risk

All four are prevalent across the entire length of the attack chain. Email is the number one threat vector, which means phishing, BEC and other humantargeted email attacks are key players in initial compromise. Human identities are a target for privilege escalation and lateral movement. Human actions are one of the reasons behind data loss. When we break it down this way, for us, it’s no wonder that Gartner would be calling this out as a strategic imperative for your organization. The human factor is not a single standalone issue. It is an integral feature of almost every cyber attack, and organizations substantially under-invest in it relative to its risk level and their other controls.

Solving the human problem

We use the word ‘solve’ very deliberately. Because while it is both ubiquitous and potentially devastating, the issue of human risk is eminently solvable. However, there is no single solution or one-time fix for protection against human-centric threats. Due to the prevalence of human-centric risk across almost all cyber threats, mitigating and defending against it requires a broad and layered set of capabilities. If email remains the number one point of entry to our organizations any effective defense must include blocking malicious messages and disarming these attacks. Email threat protection must be complemented with impersonation protection to analyse email content, supplier data, and email address manipulation to detect and deter spoofing. With around a third of users sending misdirected emails, any solution should also have capabilities to highlight and block such incidents. As privilege escalation is now integral to ransomware and most advanced attacks, any effective defence must encompass an identity threat protection component. A comprehensive solution can spot and stop lateral movement, remediate identity threats and lure malicious actors into making their presence known.

ALL OF THIS RESULTS IN ONE TRULY PROFOUND CHANGE – WE HELP YOU TURN YOUR PEOPLE FROM SECURITY RISKS TO SECURITY ASSETS. SO, WHILE YOU MAY BEGIN TO HEAR OTHERS SAY THEY CAN PROTECT AGAINST HUMAN-CENTRIC RISK. HERE AT PROOFPOINT, WE’RE ALREADY DOING IT.

The Proofpoint difference

People are the lifeblood of any organization and it's therefore natural that they pose our greatest risks. Gartner’s Leadership Vision for 2024: Security and Risk Management report identified “pivot to a human-centric cybersecurity strategy” as one of only three strategic imperatives for security and risk management leaders⁽¹⁾. We think, there’s a good chance that “human-centric security” or any similar moniker will become something of a buzzword in vendor marketing. Single solution vendors or even those focused on infrastructure security may look to tag it on to existing capabilities or tweak features to position them as more people or identity-focused. But true human-centric security is not this simple. It requires a lot more than a change in marketing messaging or a sprinkle of AI fairy dust to get right. It demands layered security controls, trained for years on millions of touchpoints and billions of threat data across the globe, in tandem with targeted security awareness. At Proofpoint, we promote a blended approach that will solve the problem with not only powerful AI, but also our experienced threat researchers and analysts. Proofpoint People Protection and Proofpoint Information Protection platforms provide Human-Centric Security solutions that combine threat intelligence, behavioral AI, detection engineering and semantic AI to block, detect and respond to more advanced threats and data loss than other leading vendors. We deliver 100% direct spoofing risk reduction, 99.9% inbound threat reduction and 80% identity risk reduction on day one, as well as proactively flagging misdirected emails for users to resolve. All of this results in one truly profound change – we help you turn your people from security risks to security assets. So, while you may begin to hear others say they can protect against human-centric risk. Here at Proofpoint, we’re already doing it.

FIND OUT MORE

If you’d like to find out more about any of the topics covered in this issue, please get in touch with your Account Manager or use our online form to get in touch.

_{^{Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.}}

_⁽¹⁾_{^{Gartner, Leadership Vision for 2024: Security and Risk Management}}_^,_{^{Tom Scholtz}}_^,_{^{Lisa Neubauer}}_{^{, January 2024 - gartner.com/document/5069331}}