Protecting the Weakest Link: Why Human Risk Mitigation is at the Core of Email Security

Blame has long been placed on people as the biggest vulnerability in cybersecurity. And while it isn’t exactly a hot take, I deeply believe that we can’t blame people for just trying to do their jobs, track a package, or win a contest.

How can we blame an employee for simply trying to do their best at work? That might mean an executive assistant buys some gift cards at the request of their boss, or a finance director changes the banking information for an invoice per instruction from the CFO. Or perhaps someone is in the middle of an important project with an immediate deadline when they receive notice that they need to update their password to keep access to their account.

These and many other normal daily business interactions are exploited by attackers. So while we can’t blame people for simply trying to do their jobs well, we can acknowledge that people are a known weak spot for which cybersecurity strategies must compensate.

Software vulnerabilities, misconfigurations, and physical system attributes can be exploited to access a corporate environment. But not only are these attacks more technically challenging, they are more likely to be noticed by a security tool or SOC analyst combing through logs.

So why target systems when you can simply target people? Especially when this tactic comes with both less work and a higher success rate?

People are wired to trust other people. Psychologically, we have an innate desire to believe in others and find belonging, and our digital lives inherited this trust—extending the need for connection across the interwebs. Savvy attackers take advantage of these human psychological needs, twisting them into weaknesses and exploiting them for personal gain.

There is no denying that our lives today are nearly 100% connected, with ample opportunity for an attacker to target human vulnerabilities through digital communication—and no channel is more susceptible than email. In fact, 68% of attacks last year leveraged the human element, with four main ways that may lead to a successful compromise:

1. Genuine Error: True accidents happen. Great, well-crafted phishing attacks are oftentimes successful, especially with limited security tools in place. If it’s up to an employee to have SOC analyst skills to stop every phish, then there will be errors and accidents that lead to compromise via email.
2. Identity Compromise: Accounts can become compromised via a variety of ways. For example, if an employee’s credentials are reused between personal and corporate log-ins, a compromised social media account or personal email could lead to a corporate identity breach.
3. Alternative Phishing: Phishing isn’t exclusive to email. A Slack chat, Teams message, text, phone call, even a video call can be used to exploit employees. And while employees may be well-trained to notice common phishing tactics in email, they may be more easily deceived in another less-obvious channel.
4. Malicious Intent: And finally, there’s always the chance that an employee could provide their credentials or enable an attack on purpose. Malicious insiders aren’t tricked, but rather intentionally compromise other employees for their own gain.

Regardless of the general category or specific attack method, bad actors are constantly trying to extract credentials, steal other personally identifiable information, or directly steal money from their targets. With humans being the easiest path to greatest return, it only makes sense why they would choose to target them.

In response, organizations have historically implemented security awareness training and programs, believing that educating employees was the best way to solve the problem. Unfortunately, this results in a situation where employees must be right every single time in order to stay safe, while attackers only have to be right once.

Rather than focusing on the people who make (understandable) mistakes, security leaders must take a critical look at the technology safeguards that can be put in place to remove the burden (and blame) from end users. But while there are loads of tools and a decades-old email security market focused on this attack surface, this simply isn’t stopping the problem. After all, business email compromise alone cost organizations $2.9 billion last year, and this number continues to grow each year.

Instead, organizations should turn to AI to uplevel their protection and better protect humans from themselves. The right email security tool can solve the human vulnerability problem, ensuring that security leaders can feel confident that their employees are not responsible for stopping each attack.

With the Abnormal Human Behavior AI Platform, organizations can:

1. Stop attacks before they reach employee inboxes: Modern, AI-based detection engines don’t rely on detecting known-bad IOCs or matching emails to threat intelligence. Instead, AI can be used to identify and remediate a malicious email by comparing it to existing baselines of normal for each individual in an organization. This approach stops more sophisticated attacks and totally removes the employee from the detection equation.
2. Identify and correlate risk across everyday SaaS applications and cloud infrastructure: AI is only as good as the data that feeds it. Aggregating more information from across the cloud-based environment—anywhere cloud email identities are used for authentication—adds signals to an AI model. After all, more data and broader visibility leads to more informed risk decisions, with ultimately leads to better protection across the entire attack surface.
3. Support ongoing employee education using individually relevant content: An autonomous AI platform can be used to provide personalized, ongoing employee education right when an email is reported. With AI Security Mailbox, organizations can take advantage of generative AI to engage people and answer questions—adding meaningful context and relatable information as part of a security awareness training program. The best part: the AI approach doesn’t add any work to the security team.

While not a complete answer on its own, leveraging the right tools can drastically improve security posture, ensuring that humans remain protected from their own vulnerabilities—even those they’re not aware they have. Integrating modern tools with ongoing security awareness training is critical, creating a comprehensive defense strategy and transforming people from a weakness to a line of defense.

Interested in using AI to remove the burden and blame from your employees? Get a demo of Abnormal Security to see why thousands of customers trust the AI platform to protect their people.