It is often the illusive “Human Factor” that ends up being the weakest link that makes cyber-attacks and data breaches possible, sometimes even more so than hackers exploiting zero-day system vulnerabilities or employing new malware. Let’s be honest, what is easier to hack, a network based security appliance or a human being?
According to the 2016 Verizon DBIR, human errors are a major factor in most data breaches. This “human factor” is especially true with the growing mobility of employees and BYOD (Bring Your Own Device) policies that are becoming more widespread. Therefore, while technological cybersecurity solutions take centre stage in many businesses’ cybersecurity plans, addressing the human element is as important as the technological one.
The “What” of the Human Factor
The “Human factor” can be attributed to two aspects: The attackers and the conduit for attack. On one hand, businesses in all industries, especially lucrative ones, are faced with attackers who keep growing in their sophistication, capabilities and brazenness. They keep coming up with creative ways of attacking organisations by discovering new vulnerabilities in systems and software and by tricking innocent people into falling into their traps.
On the other hand, humans are considered the weakest link and can expose organisations to cyber threats through three main types of risks: human errors, ignorance and intentional harm.
To err is human
Accidents are inevitable: inadvertently sending sensitive information to the wrong email recipient, deleting a file by mistake, or clicking on a malicious link or advertisement and unintentionally downloading malware into the organisation. According to a study by Forrester, 36 per cent of breaches stem from inadvertent misuse of data by employees. Unfortunately, the solution to this problem must be addressed by technological solutions that can suspend or at least curb the harm.
Ignorance is not bliss
Without the proper training, cybersecurity risks do not cross the minds of most people outside of the cybersecurity team. Most employees who fall prey to social engineering and click on a malicious link do so out of ignorance or because they were victims to psychological manipulation in phishing.
It is also unlikely that they will stop to think about the risks of man-in-the-middle attacks when using public Wi-Fi while checking corporate email accounts on their own devices; or stop to check the email address of an unusual email, even from their managers, asking for assistance or personal details.
Most people do not put too much thought into creating sophisticated or different passwords for their devices and accounts. Actually, research on passwords shows that too many people still use common passwords such as their name or “password” or “123” which are too easy to access. Although the rise in the reports about corporate hacks started making people more aware of the cybersecurity dangers, training is necessary to turn awareness into diligence, and help employees adopt secure habits.
More than 95 per cent of the attacks on organisations use targeted spear phishing. Hackers create sophisticated emails that can easily trick people into believing that the email is an authentic one from their boss or bank, hijacking the account, downloading malware or tricking the employee into taking fraudulent actions. The main solution against this is diligence through awareness and cyber-security training.
Insidious insider threats
In addition to the above risks, the Human factor contains an even darker side. According to a recent report by Kaspersky, 28 percent of all cyber-attacks and 38 per cent of all targeted attacks involve malicious activity by company insiders. It was reported that 59 per cent of former employees admitted to stealing confidential company information with 61 percent of them stating that they had an unfavourable view of their employers.
However, not everyone involved in passing corporate credentials and other inside information to hackers are willing participants in the criminal schemes. Some might do so inadvertently or under duress of extortion if the hacker holds compromised or sensitive information about the person, such as after the Ashley Madison hack.
How to curb risks posed by the Human factor
Since this is a human issue, rather than a technical one, the employees who really need the security training may understand it better coming from people, such as HR and upper management. While your security team may be highly adept and the experts in security matters, they may not be the best people who can convey the information in a way that employees can relate to and understand.
Furthermore, training cannot be a checkbox to tick off. It requires the allocation of budget, time and human resources and workshops, online training, testing and more, should be ongoing.
Last but not least, training must be tailored according to the employee’s role and respective level of technological knowledge, as well as the degree of sensitive information to which she or he is exposed.
Cybersecurity risk management procedures can include providing employees with a VPN to avoid the risk of them using public Wi-Fi when they work outside of the office; prohibiting the use of personal social media channels to communicate with colleagues or clients about work-related correspondence or information sharing; mandatory periodic password changes; tracking apps on devices to protect from loss or physical theft; a theft hotline procedure with remote-deletion tools in place, and more.
Restrict access to sensitive data according to the employees’ role. In positions that have access to highly sensitive data, you might want to consider even stricter settings, such as using corporate-owned devices only and blocking access to web browsing. You should also consider restricting access to free software installations.
Ensure that your operating system, application software and anti-malware software are up-to-date.
Invest in technologies, such as NBA (Network Behavioural Analysis), identity and password management, encryption, DLP (Data Leak Prevention), Web application firewalls (WAF), Database Activity Monitoring (DAM), Intrusion Detection Systems (IDS), Security Operations Centre (SOC), and secure web gateways to monitor human activity and notify the security team when there is unusual activity, such as after work hours or suspicious log-in to data directories unrelated to the employee’s position.
In addition to the solutions mentioned above, new cyber-security solutions that can detect and block suspicious files in real-time, can provide thorough protection against cyber-attacks and data breach attempts.
Flawed perceptions that cyber-security can be entirely based on technological solutions must give way to the reality that humans are a key factor of company’s cyber security strategy. Research has shown that changing employee behaviour can reduce the risk of a security breach by 45 to 70 per cent. As such, organisations must invest in the Human factor and build “human firewalls” in tandem with the technological solutions.
For further information, go to Humanfirewall.com.au