We have been raising employee security awareness for many years. And for just as many years, we have been helping customers in incident response to get hackers out of their IT systems again. What is our experience?
Yes, in most cases the entry point into corporate networks, the so-called "patient zero", is an unsuspecting user who opens an email attachment and activates macros. Therefore, it is and remains incredibly important to regularly train all employees on the dangers of phishing and social engineering.
However, we also find over and over again that most of the damage from hacking attacks is not caused by this initial infection, but by a multitude of other vulnerabilities afterwards. As displeasing as an infected user account may be, it is not usually a threat to the company's existence. That would be catastrophic, because despite all our security awareness, we will never be able to completely prevent someone from clicking on malware at some point.
The really serious problems arise in the weeks after the initial infection, in what is known as "lateral movement": the attackers jump from the infected user to the first server, from there to further servers, until at some point they have the entire Active Directory of the victim company under control. Then they can create arbitrary accounts, extract all the data and install time bombs to encrypt the systems. At that point, to put it crudely, the pants are down. At the bottom.
However, our forensic analyses of recent years also show that this should not be the case. The vast majority of jumps to other internal systems do not exploit unavoidable "zero day" vulnerabilities, but rather trivial security basics: lack of hardening, insufficient patching, the use of weak passwords on server systems, the use of the same passwords on different server systems, RDP sessions that are not terminated properly, etc.
It can therefore be said that a lack of security awareness in the IT department causes more damage to the company than users. Nevertheless, most companies have been training only the users for tens of years, sometimes over and over again. Please don't take it the wrong way, that's basically correct too: Security awareness is a continuous process that virtually never ends. But it is also a question of finding the right balance.
The damage that administrators or developers can cause through a lack of security awareness is inherently much greater due to their privileged accounts. And many of those colleagues unfortunately know as much about cyber security and modern attack tools as the users do. An extremely dangerous mix.