When it comes to cybersecurity, most people think of passwords, encryption, firewalls and other tech-based solutions. While these are important, the significance of the human factor in cybersecurity has been underestimated in recent years.

In fact, 85 percent of all security breaches start with humans; of the 3.4 billion phishing mails that are sent every day, around 20 percent get through filters and half of them are then being opened or interacted with.

Why is this happening? Geopolitical events of recent years have had a powerful impact on peoples’ minds. Ongoing uncertainty, anxiety, and stress caused by multiple crises play right into the hands of cybercriminals who use social engineering to trick us in a highly targeted way.

Organisations are battling an innovative dark economy where tactics are evolving by the minute. These highly professionalised cybercriminals are acting based on efficiency – and they have long understood that it is much more efficient to target the human layer than to penetrate systems right away. Systems and infrastructure can often vary across organisations, but people are a constant.

Exploiting human psychology as fear and uncertainty

The interface between person and machine is still the primary gateway for cybercriminals. This is no surprise, because humans are always vulnerable to one common type of attack: emotional manipulation.

Cybercriminals have exploited human psychology to succeed with their attacks, leveraging emotions like anxiety, respect for authority, or willingness to help. Today, this is being accelerated by various new developments:

Global issues offer cybercriminals an open door through which to manipulate victims, leveraging current issues for waves of event-based phishing attacks. Within weeks of the COVID-19 Omicron variant becoming global news, phishing attacks were taking advantage of this.

Russia’s attack on Ukraine also resulted in an unprecedented rise in cybercrime with fraudulent charity fundraisers being disseminated on social media and through phishing emails, harnessing compassion and generosity to get what they wanted.

New, hybrid working models offer a variety of new attack channels - because of the lack of security in our own homes, the rise of new communications channels, tools used in remote settings and because of the lack of training in these tools.

The speed of digitisation is also accelerating cybercrime: the rise of artificial intelligence, including deepfakes and voice phishing, are prime examples of these highly sophisticated methods of fraud. Our increasingly interconnected world also leads to an increase in supply chain attacks, with attackers maximizing their profit via targeted attacks on service providers.

This year’s Uber breach is a perfect example for how cybercriminals are leveraging social engineering. According to several reports, the attacker managed to obtain the VPN credentials of an employee through social engineering tactics, presumably phishing. To bypass multi-factor-authentication, the attacker used ‘MFA bombing’ – a strategy that emerged at the beginning of the year – and gained access to multiple internal systems.

This is proof of a constant engine of innovation – on a psychological level, not a technological one. With cybercriminals using such sophisticated strategies, how can organisations protect themselves and their employees from falling victim to emotional manipulation?

Giving people the means to protect themselves

If cybercriminals are targeting humans, it’s critical that organisations are using their employees as additional layers of defence, enabling them to deploy secure habits in the digital space.

In order to succeed here, organisations must establish sustainable security cultures. Employees need to memorise knowledge and make sustainable changes in their habits, empowering themselves via the use of human psychology learning about behavioural science to make this shift.

But how does that work?

In-situation awareness tools help improve user reporting behaviour which is a leading indicator of increasing security awareness. Reduced time spent using “traditional training”, and instead using dynamic “micro-learning” decreases adoption risk and helps minimise productivity losses.

Regular “nudges” help employees stay ahead of their learning schedule, increasing user activation by 90 percent. And a tangible effect on user engagement and habit building can be had by using “deep gamification” – data shows that user activation is 54 percent higher when deploying it.

The ability to understand and report on psychological tactics and technical vectors allows programme leaders to increase the difficulty level of their awareness campaigns as an organisation's security maturity improves, which is essential to keep up with the speed of innovation on the attacker side.

An invisible enemy that will never go away

It’s vital to understand that cybercrime will never just ‘go away’. Not only are cybercriminals constantly professionalising their operations and adapting them to new circumstances, but our increasingly technology-dependent society means most opportunities for theft will naturally be in the digital space.

We need to ensure that we constantly adapt to the degree of innovation of the attackers. Continuous and timely awareness will become increasingly important. Had employees been trained about the MFA bombing tactic for example, Uber would likely have been far more resilient to its recent attack.

With humans being the number one target for cybercriminals, it’s crucial we ensure they are at the forefront of security innovation and empower them to be capable of digital self-defence.