It has been a mantra for so long that it’s a cliché: Humans are the weakest link in the cyber security chain. The best technology in the world can’t protect an organization from an employee and top management falling for a well-crafted social media or phishing attack.
We have invested a huge amount of effort in the past 20 years securing the technology operating systems while investing almost nothing in securing the other operating system, (Human OS).
So it should come as no surprise that the latest report from the Ponemon Institute, which surveyed 1,000 IT professionals across North America and the UK, finds that a majority – 54% – of those that suffered data breaches said the root cause was “negligent employees.”
In spite of constant calls for better security awareness training, that percentage is up from last year’s 48%. And it could be even worse, since, “almost a third of the companies in this research could not determine the root cause (of the breach),” the report said.
The results of that weakest link are also depressingly familiar. Ponemon reports that:
- Cyber attacks against small and medium-sized businesses (SMBs) increased from 55% to 61% in the past 12 months.
- Ransomware showed a huge spike, from a reported 2% last year to 52% this year, with 79% saying the ransomware got into their systems through phishing/social engineering.
- While strong passwords and biometrics are “an essential part of the security defense … 59% of respondents said they do not have visibility into employees’ password practices …”
- The average cost of attacks rose, from $879,582 to $1,027,053 for damage or theft of IT assets and infrastructure; and from $955,429 to $1,207,965 for disruption to normal operations.
And the reasons why this is so are also familiar. Among them:
- Attackers take advantage of the general tendency of people to want to be helpful.
- People are trained to be compliant with authority figures, hence they are more likely to fall for attackers posing as law enforcement, top management or even HR.
- Phishing continues to improve. In the case of the finance director mentioned above, the email address looked genuine, and since the real boss had posted pictures on social media of his Greek island getaway, it made sense when the fake boss said he didn’t want to be disturbed because he was on holiday.
All of which should be a signal to company leadership that IT clichés like PEBKAC (Problem Exists Between Keyboard and Chair) or “you can’t patch stupid” are getting in the way.
The reason people continue to be the weakest link is that most organizations continue to fail to invest in them. If you want your awareness program to really be a success, put a Full Time Employee in charge of it. Too many programs have minimal support and maybe 15% of someone’s time.
To do that will require mature awareness programs that focus on behaviours that people can easily exhibit. We have failed to engage people in their own terms that they can easily understand.
But there is also some ongoing debate about the best way to do that. At last year’s Black Hat, several presenters argued that making employees hyper-vigilant could create paranoia leading to a, “constant state of distrust,” and would interfere with, “how people actually do their jobs.”
Kevin Mitnick, once known as the “world’s most wanted hacker” and now head of Mitnick Security Consulting, said at the time that regular, even intense, awareness training shouldn’t have a negative effect on morale or productivity.
“That would be like saying wearing a seat belt takes away the enjoyment of driving. Or locking your car makes people drive poorly,” he said. “In the world we live in, security precautions become second nature, and people adapt.”