KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Yeah. So, as I mentioned before, one of the things they ever green, things that have, have always been present in the cyber security, I would say since several years is the social engineering. One of the things that we are like, for example, when with the, the one European project that was called Duggan, which was especially focused on studying the advances of social engineering, is that in the recent years, thanks to the evolution of the social trends, the social networks and all the other types of let's say new ways of interacting and exchange and working each other.
Well, the social engineering became one of the most effective attack techniques used today. And let's say this article was written few years ago and already at the time, only about 3% of the malware was trying to explore the purely technical flow. All the others were exploited in actually social engineering, through social engineering, the human element, and with the human element.
I mean, trying to bring errors to the humans that are handling one specific assets. The point is that like any possible trail in cybersecurity, it is also one of the sources of cyber risk in general. And one of them was difficult things, you know, to fix in general because every human is different.
Every human has a different behavior, mindset and capabilities, but the point is why speak again about this type of things today, because as we will see, COVID changes once again, the transitionary related to the humans, first of all, it is important to you understand how the humans are, let's say attracted by attention by cyber criminals, but not only also by sellers also by marketing experts and social network influencers today, mostly these three types of competencies, try to advertise or deliver the right advertising to the right people and advertising at the end of the day is one way to convince people to do something or buy something that wouldn't buy in general.
And the same happens for social engineering. As a matter of fact, one of the most let's say used competencies in social engineering is just marketing. As a matter of fact, in the let's say criminal cyber criminal gangs the most let's say relevance competencies, they are responsible of the 97% of successful attacks are exactly the same servers, marketing experts and social network influencers. And all the others are becoming let's say more and more increasingly more like, like let's say commodities.
I would say as a matter of fact, in one of the, the recent interviews to one of the ransomware gang, there were involved many developers of malware. There were developing malware for different groups. As a matter of fact, just recently, just to give you an idea of how important these roles are today in one of the latest, let's say reports actually from Atlas VPN that reports some data from Microsoft reports that spur fishing that is the most specialized way of fishing. A person with highly contextualized messages is one of the most expensive services you can buy on the black market.
And this means that is one also the most precious, let's say assets from a criminal point of view, but why is so peculiar from the point of cyber defense and the board of cybersecurity, because at the center of everything, there is a human. And when you have to study a machine, you have to work with experts on informatics working, all the other types of it, or hardware, hardware, sciences.
When you speak with humans, you have to deal with human sciences, like for example, this, these are all sciences that can be used or better abused by attackers to deliver a social engineering trick or social engineering. Let's say hook that somehow convinced people to do something that they shouldn't do in. As you can see, the problem here is that most of this type of competencies here are not used to talk with cybersecurity expert. There is a completely different mindset in, in the game.
And so most of the times it specialists are not used to talk about secret society, philosophy, communication, sciences, design, even anti ideas. Well, the bomb game was when the COVID started to appear for different reasons. One simple reasons is that immediately in one day, almost the entire war started to work at home. So without having the, let's say the support of nearby colleagues, I mean, someone that is sitting nearby you to whom you can ask, for example, if that specific male is in his opinion, a fish or not.
So you started that the employees started to be alone in their homes and started to evaluate the effective, let's say probability or likelihood that the specific message is social engineering or not. And at the same time, also the COVID represented a sort of once in a lifetime opportunity for cyber criminals.
And see if you put these things together, you have a individuals working at home alone without possibly the suggestion or advice is for nearby colleagues with most of the case with less, let's say protected environments, for example, ruler at homes or computer at homes that are usually shared with familiar other people with songs and so on. And then this led to social engineering to became much more popular even than before. And this type of attacks. For example, I report some of the examples that all have been originated by social engineering.
As a matter of fact, I would say that also the ransomware epitome that nowadays we are witnessing is originating most of the times by social engineering. Because as if you see the infection tactics used by most of brands was most of the times they are exploiting a click by someone on Fisher mail, male.
And the point is that poorly protected as small entities and easily attackable individuals because they are alone in their homes, tends to have a sort of overlap trade landscape and therefore attacking micro and micro small companies and attacking big companies life, for example, GA in carnival compar, colonial spider, and so on became more or less the same by the attacks point of view in terms of how difficult it is. It is at the end one simple things to attack the right person and to find the right person to handle the right assets.
As a matter of fact of this, let's say this sort of epitome epidemic, let's say, I would say the second epidemic, the first one, of course, the health epidemic. And the second one is recognized to be this cyber crime epidemic. Well already in the last year cross strike reported that there was an increase you can see here of attacks. There was already surpassing in the first half of 2020, the overall numbers of attacks reported in the previous year.
And before we also witnessed a rise of our attacks against industries that were not previously mainstream and why this, because the persons were easily attackable even before Mo let's say easier than before. And the four new sectors, like for example, agri food beverage and beverage education, public administrations, constructions, ING are all types of industries that were not so much other attacks like today. And of course the classics like healthcares and operative technologies.
I mean, industry anytime more or less, it is interesting to report some of the data because as you can see from the data, there has been a cost increase over around 15% year over year. And the data, well, the collective data stops here are the first half of 2020, because the new has been published yes ago, a few days ago. But anyway, the point is that at the same time, even if there is a switch of attack tactics to the social engineering, the trends of attack were already increasing even before the COVID.
As a matter of fact, in 2021 reports says that the social engineering attacks increased by 270%. That is a lot, as a matter of fact, I was used to use this slide since few years because I work on social engineering since more or less 10 years. And I I'm used to say that all security model is broken well today it is more broken than before because you and only you are now the targets targets exposed to what to social engineering trends, of course.
And there is a problem if there's of course clear that the humans are considered, let's say targets of attacks is also less obvious that humans are also pass of defenses. And also humans in the defenses needs to be trained properly in order to not do errors because an erroring defense, because implies that a target that passes true the defenses.
So the point is, and as to sustain, my point of view is I also bring this a reason toward economic forum that both a growing server capability gap for of so less prepared professionals in general, available on the market and a surge of ethical hackers, able to test the super fast 5g tri landscape. And of course this brings together also another problem that frenzy and hackers are dangerous world to be put aside on each other, because you have to trust to trust your, the people you are hiring. So how do compensate this? That's the problem.
And at the same time, there is also one other point that is in the, let's say transformation from reactive to proactive, secure defenses. The point in proactive security defenses is that what I call the security ceremonies, that it was one of the problems of today's cyber security in general, when speaking about how to transform the security model in general Alexei let's I would say that the security let's say ceremonies in general is just a way to describe a system of protocols and humans, which interact for a specific purposes. That is quite generic terms.
I mean, I could interact with the browser to obtain the purpose of navigating through the web, also interacting with a system, for example, policy management system, to obtain the policy verification of the asset management. So there are a lot of ceremonies, but world ceremonies is interesting because most of the times this type of protocols are tested in theory, but insecure in practice. There have never been tested in the real world with the real attacks unless a attack happens. Of course.
So the point is how can we secure secure test the secure remedies in advance in a proactive way before a real attack happens. And before I analyze that this ceremony is just the ceremony, so never tested before in real, and not at least not tested enough, I will say the other point is that humans, humans, as I said, are also on the defenses side. So the defenses are made of tools and humans, and that it is possible to completely remove the human judgment from the defenses. So the part is given that the humans in social, in general, the let's say human element in your is also there.
How can I let's say measure this type of risks of being attacked because of a human heroin? Well, if the human hire employees, there are social engineering, simulating campaigns like and simulated fishings and other types of awareness linked to the risk. So understanding and measuring how much my employees are learning to avoid fishings. But on the other side, from the defense side, there are less instruments. The part is at this point, we introduce a new type of, let's say, vulnerability assessment that we call full spectrum vulnerability assessment.
That is a sort of engagement within the simulators attacker and the company that launches a realistic, but not real. So it is not creating the majors attack complet, including malware exploitation, and, and so on against the company, without the consciousness from the defense team. So the defense team thinks and perceive this as a real attack. And we are measuring the KPIs due reactions if they are panicking somehow or underestimate in the attack.
And if they are able to let's say discovered all the indicators of confirmation, which is the different compared to, for example, a red team activity. Well, the point is that red team is done usually in a simulated context. So we are in a playful interaction and we are, they let's say the participants knows that this is something like capture the flag, is the game more or less, more or less complex, but it is the game. They are not. Let's say that the risk of losing the integrity of the company is totally out of any red team or capture the flag or other types of similar activities here.
The point is instead to make a test against the company and measure the reactions of the human element that is involved into the it security team.
So the point is that this type of test stimulates not response to a specific problem or the technological defense readiness as a role here, but the ability of the team to adapt and think independently when the voice happens in enough guard context, for example, we also go to the level of simulating the communication of the emergency to the journalists, because as you know, this is one of the most delicate phases, even in the incident management, how to deal with press, how to deal with stakeholders, customers, and, and so and so on. And so on, we already tested against some companies.
And I would say that the sentence real threats makes real warriors is completely true in most companies, because most of the time the ceremonies are just ceremonies. They have never been tested in real. And when the test happens, it is real, so creates images, images.
So this, this, the point is the way this way of simulating attack in this manner, it is also sort called a sort of micro drilling and how to build the so-called ma memory or cognitive agility. That means create people that are able to let's say, apply what they'll learn to, for example, in a capture the flag, for example, in area context. And for example, we also started to let's say, propose our trainings because chair field, that is the entity for which I work is innovation research and, and training center, okay. Using the O O D a philosophy that is observe oriented side and act.
That is something that came out from this world, Wari airplane fighters. You can imagine the situation, you're an airplane fight. You have to orient the side and hack. So it is also a sort of learn by doing in enough guard context. For example, if the simulation start on Friday evening, well, you would say, I would say you ruin probably a lot of friends. Let's say your relationships acting in this way, but the way you are going to stimulate at the same time, their reaction in a completely offguard situation, that would be the same things that attacker would do.
By the way, just seeing about the type classic types of teamings assessment. There is a black team or a team and power team. And also the, what I call mentioned before the gold team assessment, that is the incident response, and also the communications with the authorities, with the stakeholders, shareholders, shareholders, and so on and so on. And this is anyway sort of interesting approach that let's say tries to balance the, the fact that the humans are involved in the security more than ever before, because of the COVID.
And I would say several criminals discover that this is a very profitable area of attack. So I, for, for sure, this tactics human related tactics will remain for a long time, unless there are someone involved between the screen and the chair, I will say. But the point is that most of the times the defenses are, the humans are involved not only as, as victims, but also as potential defenders. And like in the medieval castles, you have to train all the humans involved. Okay.
So the challenges are these, understand the risks, reduce the human element, exposure training for non touch employees, non technological employees is another important aspect. Most of, most of the training programs, this are based for touches technological people. But as for example, there are several non technological roles, like for example, the people involved with the communication, low psychologists and so on.
And so, and everything needs to be sustainable. Whereas with sustainable, I mean, I mean affordable in terms of competencies available process available, not only economics and not only energy and that's everything for my side.
