The human factor in cyber security

The human factor in cyber security.jpeg

Cyber-breaches are a costly business, impacting both revenue and reputation. It was recently revealed that cyber attacks cost businesses $400 to $500 billion annually. Now that’s something to be concerned about.

It’s undeniable that organisations need to lift their security game, yet conversations about cyber security only focus on one side of the equation. The role humans play is often neglected in favour of technical solutions. This sectional approach places organisations at an increased risk of attack.

What’s more, attackers are finding increasingly creative ways to circumvent security procedures and target employees. Increased mobility and under-administrated BYOD allowances offer attackers unprecedented opportunities to target organisations through specific employees.

It’s time for organisations to address the elephant in cyber security’s room - the “human factor.”

Today, we’ve identified the two most common types of human-related security issues and will discuss how organisations can reduce their exposure to such threats. 

Threat 1: Cyber criminals skilled at social engineering

Cyber criminals manipulate unsuspecting employees to gain access to an organisation's confidential information. This method of exploitation, known as social engineering, is one of the most common methods of cyber breaches.

Social engineering attacks can take many forms, but phishing scams (tricking individuals into divulging sensitive information via website links or direct response) and malware (viruses, worms, trojan horses and spyware, to name but a few) are the two prevailing tactics hackers use to retrieve information.

In 2015, 95% of all espionage attacks involved phishing. And nearly 80% of all malware attacks were a result of phishing scams.

Attackers utilise social engineering tactics because it’s easier to exploit an employee's natural instinct to trust then actively hack into networks. For these attacks to be successful employees must be unsuspecting. Indeed, basic human error is responsible for 95% of all security incidents.

Employees make simple mistakes which places them at risk of social engineering attacks.

These include:

    • Lax email habits: opening suspicious emails can result in malware downloads. Alternatively employees can click through to websites where attackers can then phish for details.
    • Weak passwords: are easy to hack especially when personal information has been shared with attackers.
    • Not backing data up: This will guarantee data is lost in the event of an attack
    • Poor security habits outside work:  Employee devices may have unpatched vulnerabilities at the OS level. As such they are inherently insecure.
    • Connecting to unsecured Wifi networks: open and public wifi networks can allow attackers to capture traffic off an open access point and execute attacks such as man-in-the-middle (MitM) attacks.

The Fix: To mitigate the risk of breaches that result from social engineering, employees must be able to identify suspicious material. Increasing security awareness and training can reduce an organisation's risk of attack by up to 70%.

Educational resources can take the form of online cyber security training resources, peer mentoring, company-wide workshops or a blend of all. The key to an effective security awareness program is to deliver relevant material to the appropriate audience – in an efficient manner.

To achieve this there are several questions you’ll need to answer:

  • How many employees will take part?
  • What are their roles?
  • What is their computer skill level?
  • What are the existing use policies (how are employees working both in and outside the office? What devices are they using? Are they accessing external applications outside office hours  to complete tasks?)
  • And of course, what is my budget?

Once these questions have been answered, there are specialist training agencies that can respond to your brief and deliver this kind of training.

Threat 2: Malicious insiders

Information can also be compromised by disgruntled employees who decide to take action against an organisation. While this form of attack is not as common as the above, its ramifications can be devastating.

For instance, after Edward Snowden’s infamous leak of NSA’s surveillance activities, NSA received considerable backlash. 52% of U.S. citizens reported they were “very concerned” or “somewhat concerned” about government surveillance. The leak brought global attention to the issue of cyber security and prompted widespread privacy reforms.

While this is an extreme scenario it demonstrated that once data has been leaked the damage to a company’s reputation can’t be undone.

The Fix:  Malicious insiders are inherently unpredictable. As such organisations have to take a proactive approach to safeguard sensitive business information.

Start with the basics, and closely manage employees’ access to data. Sensitive data should only be shared with an employee should they irrefutably need it to complete their job.

Then, turn to more sophisticated solutions. Context-aware security systems, such as Data Loss Prevention (DLP) software, can profile user behaviour and evaluate risk. Any significant action, such as logging into a system or accessing a particular document, can be analysed in order for a baseline to be determined. Once a baseline is determined a risk-aware security system can flag abnormal actions and behaviours. From here an organisation can take relevant action.  

Other cyber-fighting technologies include:

  • Database activity monitoring (DAM)
  • Secure web gateways
  • Web application firewalls (WAF)
  • And intrusion detection systems (IDS)

These two threats to cyber security ultimately come back to one common denominator - humans. While the majority of staff are well-meaning, they do pose a risk to an security. Understanding this vulnerability is the first step to safeguarding an organisation against breaches.

CeBIT Australia CIO Summary Report