With the rise of flexible work, employee devices and data are now the top targets of cybercriminals. According to the 2023 Verizon Data Breach Investigations Report, “Seventy-four percent of all breaches include the human element, with people being involved either through error, privilege misuse, use of stolen credentials, or social engineering.”[i]
Security professionals must design their programs to put human behavior at the center – in other words, making security “human-centric.” The goal is to eventually get to what Forrester refers to as “adaptive human protection,” which they define as “people, processes, and technologies working together to detect and anticipate human security behaviors and adjust policies, training, and technologies to protect humans in a way that requires minimal or no effort on their part.”[ii]
Let’s look at how a human-centric security model helps defend against three common attack methods.
Attack method #1: Multifactor authentication fatigue
One way attackers are targeting employees is through multifactor authentication (MFA) fatigue attacks. MFA fatigue attacks start with a threat actor stealing an employee’s username and password. The threat actor then spams (or “fatigues”) the user with MFA authorization requests until that person finally relents and approves one. It typically doesn’t take long to secure that approval. Microsoft’s studies show that one percent of users will accept a simple approval request for authentication on the first try.[iii]
To defend against MFA fatigue attacks (and theft of credentials in general), organizations should take a human-centric approach to authentication, rather than leaving authentication apps as the sole line of defense. To prevent unsafe practices like writing down passwords, reusing credentials, or approving spammed authentication requests, companies should ensure that devices and authentication applications have simple sign-in procedures that empower employees and remove complexities.
Attack method #2: Phishing
Another persistent threat to employees is phishing. From May 2022 to April 2023, Microsoft Digital Crimes Unit identified and deactivated 417,678 phishing URLs.[iv] Attackers use manipulation tactics like fear and urgency to convince the employee to take a desired action, such as clicking on a suspicious link in an email and entering their credentials on a spoofed page.
One of the biggest risks of a phishing attack is the installation of malware. Microsoft Security Threat Intelligence has seen more than 74 million devices with malware encounters in one month.[v] It just takes one risky action from an employee—downloading an unknown piece of software or a suspicious attachment—to open the door to an organization’s critical data and resources.
Mistakes happen, and attackers are persuasive. It’s unrealistic to assume an employee will never fall for a phishing lure, even with all the proper security awareness training. Instead, use a human-centric security approach to defend against phishing attacks. A device with strong data encryption and intelligent threat monitoring can help protect sensitive data and alert a company’s security team to possible intrusions into the network.
Attack method #3: Physical access
Even with robust security compliance training, unsecure behavior can still occur. Forrester’s 2022 Workforce Survey found that seven percent of surveyed global information workers say they sometimes ignore or go around their organization’s security policies.[vi] That can include behaviors like not locking a device before walking away or even leaving a device in an unsecure location where it could potentially be stolen.
To tackle these types of errors with a human-centric security model, organizations should opt for devices that have advanced features like a separate security layer for sensitive data that is tied to biometrics. Even if an attacker has physical access to the device, or even has a username and password, the sensitive secrets and data on the device are still secure.
Surface keeps people at the center of security
By using security controls built into Microsoft Surface devices, organizations can achieve a human-centric security model that helps protect against threats caused by people while creating a better experience for employees.
Microsoft Surface devices use passwordless authentication to keep the sign-in process simple and secure for employees. Organizations can minimize the risk of MFA fatigue attacks and credential theft, reduce helpdesk requests for frequent password resets, and shrink employee frustration with biometric sign-in using Windows Hello, available on select Surface devices—leading to happy humans across the organization, from IT to the user.
Meanwhile, Secure Boot and Firmware Attack Surface Reduction (FASR) protect the firmware from bootkit and rootkit-type malware infections. Secure Boot ensures an authentic version of Windows 11 starts and that the firmware is as genuine as it was when it left the factory, while FASR helps provide further firmware protection for our Secured-Core PCs. Virtualization-based security (VBS) and hypervisor code integrity (HVCI) provide further protection against both common and sophisticated malware by performing sensitive security operations in an isolated environment.
Surface devices also use BitLocker to secure and encrypt data on employee devices so organizations can protect business information even on lost and stolen devices. Additionally, the Surface Pro 9 with 5G comes with Microsoft Pluton, which helps reduce the attack surface and provides further protection of sensitive credentials.
Organizations can also proactively block threats with automatic firmware and software updates from Windows Update for Business on Surface devices. Automatic updates ensure that the device is always running the latest software, while minimizing downtime for employees so they can stay productive. They also minimize overhead for the IT team, further reducing the risk of updates not being applied in a timely manner. Microsoft Defender Antivirus is built into Surface devices to provide real-time, always-on virus protection. For an extra layer of security, IT teams can use Microsoft Defender for Endpoint[vii] to help prevent, detect, investigate, and respond to advanced threats, so that IT teams can feel more confident that users can’t engage in risky behavior.
Put humans at the center of your security model. Check out how Surface devices help organizations achieve human-centric security and defend against cyberattacks.
[i] “2023 Data Breach Investigations Report,” Verizon, 2023.
[ii] “The Future Of Security Awareness And Training,” Forrester Research, November 7, 2022.
[iii] “Defend your users from MFA fatigue attacks,” Microsoft Tech Community Blog, September 28, 2022.
[iv] “The Confidence Game: Cyber Signals May 2023 Report,” Microsoft Threat Intelligence, May 2023.
[v] “Global threat activity,” Microsoft Security Intelligence, September 2023.
[vi] “2022 Workforce Survey,” Forrester Research, 2022.
[vii] Sold separately.