24 takeaways from the Human Risk Summit 2024

Egress | 18th Oct 2024

The Human Risk Summit has concluded for another year, showcasing an exciting new theme focused on the personalization of security. This year’s discussions highlighted the importance of tailoring security measures to individual needs, with a strong focus on AI, social engineering tactics, and actionable steps organizations can take to strengthen their security strategy. 

In case you missed any sessions or would like a quick refresher, we’ve compiled 24 key takeaways from this year’s summit that showcase some of the most important insights and strategies shared by our expert speakers. 

The power of personalization for human risk management  

With: Stu Sjouwerman, CEO at KnowBe4, and Tony Pepper, CEO at Egress, a KnowBe4 company 

  1. The general trend is that the sophistication of phishing attacks is rising, especially since cybercriminals have been leveraging AI.   
  2. Historically, employees found it easier to spot phishing attacks, but the rise of crime-as-a-service has made this more challenging, as many attacks lack the key signals of phishing, such as bad grammar and dodgy domains. 
  3. Humans are an organization’s largest attack surface and must continually improve their security awareness through a combination of ‘new-school’ training and technology.  
  4. According to Stu, multi-layer security strategies are like Swiss cheese: Each slice of cheese has holes in different places, but when you layer them together, there’s no clear path through. This is the concept of defense in depth.  
  5. Introducing individual risk scores based on numerous data points allows for highly personalized training and security measures.

AI and Us: A new age of cyber threats and defense 

With: Sarah Armstrong-Smith, Chief Security Advisor for Europe & Board Advisor at Microsoft 

  1. The rapid pace of AI development outstrips regulatory processes. Therefore, businesses must adopt responsible and ethical AI practices, emphasizing security, privacy, and resilience. 
  2. Generative AI, popularized by tools like ChatGPT, has brought AI capabilities to a broader audience, including consumers and state actors. 
  3. Cybercriminals are using AI to enhance their attacks through automation, personalization, refined malware, and disinformation campaigns. 
  4. According to research, organizations that deploy AI-enabled defenses against AI-driven threats can gain significant advantages, becoming twice as resilient to cyber-attacks, reducing breach-related costs by 20%, and potentially saving the economy £52bn annually. 
  5.  AI offers defenders the ability to identify patterns, conduct threat hunting, and manage large data sets more efficiently. 

Handpicked by hackers: Understanding and defending against advanced persistent threats 

With: Erich Kron, Security Awareness Advocate at KnowBe4, and Jack Chapman, SVP Threat Intelligence at Egress 

  1. Attackers exploit digital footprints through OSINT to gather critical public information, illustrating potential vulnerabilities tied to personal data. 
  2. Erich emphasized that if your data has been compromised in a breach, you should be concerned about its security ‘forever’, which is why practices like good password hygiene across different accounts are important.  
  3. The key difference between generic threats and targeted attacks is that generic threats are often indiscriminate, while targeted attacks are specifically aimed at individuals with high-value information or access. 
  4. Organizations are urged to recognize the growing influence of AI in both offensive and defensive cybersecurity strategies, highlighting the necessity for continued investment in training and resources to outpace cybercriminals' advances. 

Using behavioral-based email security to combat advanced phishing attacks 

With: Jess Burn, Principal Analyst at Forrester, and Steve Malone, VP Product Management at Egress 

  1. AI tools are enhancing the quality and scale of phishing emails, allowing attackers to penetrate new markets that were previously restricted by language barriers. 
  2. Despite advancements in AI, the core nature of AI-generated threats remains the same. While AI increases the volume and sophistication of phishing attempts, the underlying payloads largely remain unchanged. 
  3. Jess commented that the shift from on-premise to cloud has made secure email gateways (SEGs) on pat with being a liability, positioning cloud-based, API-enabled email security solutions (CAPES) as the smarter choice for enhancing a business’ email infrastructure. 
  4. An organization’s leadership should establish and communicate clear guidelines for how they will interact with employees, and consistently follow these protocols. This way, if a request falls outside of these established guidelines, it will raise suspicion. 
  5. Celebrate small wins to encourage security-conscious behavior. For example, if an employee verifies a request by calling their manager on a trusted phone number, recognize and celebrate this action to create "security heroes" within the business. 

It’s time to take it personally: Driving behavioral change to manage human risk 

With: Giles Thornton, Head of Information Security at The Premier League; Alexis Ternoy, Chief Information Officer at Endeavour Mining; and Sudeep Venkatesh, Chief Customer Officer at Egress 

  1. The expansion of third-party vendors has stealthily widened the attack surface—now, threats targeting employees are also coming from trusted partners. 
  2. As an IT team, it is important to emphasize the human side of security—be approachable, engaged, and supportive. Instead of just saying "no," take a positive approach to encourage safe practices and avoid pushing people towards shadow IT practices.  
  3. For security training, using ‘nudge theory’ made up of short, targeted training sessions to address mistakes and help those who are set in their ways is the most effective in Giles’ opinion. Identify individuals who need extra support and provide personalized training based on the specific risks they tend to fall for. 

How to personalize email security and training with Egress and KnowBe4 

With: James Sheldrake, Head of Innovation at Egress, and Hannah Hoskins, Senior Solutions Engineer at Egress 

  1. In the product demonstration James and Hannah gave an overview of the Egress platform and how we leverage live threat intelligence and deep behavioral analytics to quantify risk in human behavior down to individual user level.  
  2. Finally, James and Hannah explore how Egress can integrate with KnowBe4’s KSAT platform, tailoring security awareness programs based on threats that users are really experiencing in their inbox.