Have some Empathy for the Defenders’ Dilemma – A Spiral of More.

October 5, 2023
Mark Wojtasiak
Vice President of Product Marketing
Have some Empathy for the Defenders’ Dilemma – A Spiral of More.

I love watching security vendor marketers latch onto Cybersecurity Awareness Month as an opportunity to make cybersecurity professionals more aware of cybersecurity. I find it funny and frustrating because isn’t the purpose of Cybersecurity Awareness Month to make end users more aware of cybersecurity and cyber safety? The last people who need more cybersecurity awareness are the defenders who live and breathe it all day, every day. Know your audience, please.

Two sides to the end user cyber awareness coin

In the intro blog to this series, I offered up our take on there are two sides to the end user cyber awareness coin. On one side is end user awareness around adopting safe cyber practices, AND on the other side is end user awareness of the direct human impact of not doing so. Subject to every end user’s innocent mistake, error in judgment, or policy side-step is another human – the defender – tasked with protecting the organization at large from falling victim to a cyberattack, and end users need to know, what they do (or don’t do) has a direct impact on that person’s well-being.

We call it the “Defenders’ Dilemma”

In our State of Threat Detection 2023 research, we quantified what we have been referring to as security’s “spiral of more” and what end users may not be aware of is how their actions often trigger and feed this spiral.

The Spiral of More in Cybersecurity
The Spiral of More

More attack surface, more exposure

Attackers are clever. They know that one of the best routes to infiltrate an organization is through preying on human nature. Call it social engineering, phishing, or vishing, even the most well-intentioned, security- aware end user can fall victim to an attacker’s charms. Scattered Spider has proven successful in vishing IT admins to gain access, and with technology like Generative AI and Large Language Models (LLMs), attackers’ ability to convince end users to commit, click and/or divulge credentials will only get better. Falling victim to attackers’ cleverness starts the spiral. They are in, and you invited them.

More visibility gaps, blind spots

Now some end users might say “oops” and trust the security team will see the attacker is in and stop them. Afterall, “it’s their job.” I am sure your co-workers (defenders) appreciate the trust and vote of confidence, but this is not always the case. What end users need to know is that attackers are very good at looking like you, doing what you do, masking themselves as you to move around the organization. They are really good at assuming the roles of people with higher privileges than you and this is when things get even worse. You invited them in, and now they used you to get an all-access pass.

More alerts, more false positives

This time some end users might say, “that’s okay, I am sure security will get some sort of alert or heads up – I've seen movies about it.” Little do end users realize that your co-workers – the defenders – get on average 4,484 alerts per day. 4,484 things to review. Imagine if your to-do list was 4,484 items long every day. Now, it’s humanly impossible to look at 4,484 alerts even for the savviest defender, so your security team does their best to look at about one-third of them, and guess what – 83% of the one-third of alerts are false alarms, not a priority, a waste of their time. Imagine the frustration. We’ve all been there – working on a project someone else deemed a priority only to find it yielded zero results. Now imagine doing that every day, all day long, focused on protecting the organization only to find 17% of the work you did had meaning.

More unknown hybrid attacks

I know some end users might be thinking, “it can’t be that bad. If my actions were so bad, wouldn’t we be breached and in the headlines all the time.” Not so fast. What end users might not realize is what defenders are doing behind the scenes to keep the company out of the headlines. It’s no easy task. Attackers are clever at getting in, masking themselves as employees, and hiding in an alert queue in the thousands. In fact, 97% of defenders worry about missing a relevant security event because it’s buried in alerts. What’s more, 71% believe the organization has likely been compromised and they don’t know about it yet. One thing that makes defenders’ job so difficult is that often they are dealing with unknowns – until they become known, then the real work kicks in. Little do end users realize that behind the scenes, defenders are working tirelessly to connect the dots. Assembling, aggregating, and analyzing disparate data sets to diagnose the problem at hand, so they can confidently take action to halt any headline from happening.

More emerging, advanced hybrid attackers

“Breach headline averted, reputation, operations, and revenue intact, so all is well. Kudos security team for doing your job,” a more opinionated end user might say. I say find some empathy. For every late night, weekend war room, family-time sacrificed, there is another attack brewing, another attack to defend. The one thing about cyber attackers, they are always trying to stay one step ahead. They’re doing their research on you — using your LinkedIn profile, social media activity, publicly available information, whatever they can get their hands on to fool you into letting them in, and when you do, this vicious spiral continues, grows, accelerates.  

More workload, stress, anxiety, burnout

I know what end users are thinking, “we all have some level of increasing workload, stress, anxiety, burnout,” and I get it and agree – all the more reason to have some empathy for defenders. When the stakes are as high as they are for defenders, taking cybersecurity awareness seriously and adopting safe cyber practices helps. “But I’m just one person.” It only takes one innocent mistake, error in judgment, or policy side-step to feed the spiral and wreak havoc on your co-workers, so do your part because at the end of the day, protecting the organization from attackers is a team sport.