Cybersecurity threat landscape is becoming complex and threatening even with emerging technologies and tightening cyber regulations. Against the backdrop of a complex and growing cyber threat landscape, where 57% of businesses now assume their IT security will become compromised, businesses are also waking up to the fact that one of the biggest chinks in their armor against cyberattack is their own employees.
More than 90% of cybersecurity issues originate from human error within your organization, not externally. In fact, 52% of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk. They worry most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).
In the recent WannaCry ransomware epidemic, the human factor played a major role in making businesses worldwide vulnerable. Two months after the disclosed vulnerabilities had been patched with a new update from Microsoft, many companies around the world still hadn’t updated their systems. Several cases followed — with non-IT personnel being the weakest link: for example, employees with local administrator rights who disabled security solutions on their computers and let the infection spread from their computer onto the entire corporate network, according to Kaspersky
Human error on the part of staff is not the only ‘attack vector’ that businesses are falling victim to. In the last year internal staff have also caused security issues through malicious actions of their own, with 30% of security events in the last 12 months reportedly involving staff working against their own employers.
While employees can pose a risk to companies, they also have an important role to play in helping protect the companies they work for. When security incidents happen at a business, it’s important that employees are on hand to either spot the breach or mitigate the risks. However, employees don’t always take action when their company is hit by a security incident. In fact, in 40% of businesses around the world, employees hide an incident when it happens.
Humans are the weakest link
The ‘hacking-the-human’ or social engineering trend is based on criminals realising that it is increasingly more difficult to break through sophisticated security technology, whereas it is comparatively simple to trick an unexpecting person to open up a potentially malicious attachment, click on a link or part with sensitive information.
According to security software company Trend Micro, a staggering 91% of successful breaches started with attacks that were focused on the weakest link in the security chain – people. Even more alarming, it can take years to discover insider threats because they are so hard to detect and many of which derive from lack of cyber literacy.
Humans are often blamed for being the weakest link the cybersecurity chain – and without the right level of awareness and training, this is certainly the case. 88% of the 2018 data breaches reported to the UK Information Commissioner’s Office in 2018 were based on human error.
Staff may make mistakes that put their company’s data or systems at risk – either because they are careless and accidently slip up – or even because they do not have the required training to teach them how to behave appropriately and to protect the business they work for.
Careless or uninformed staff, for example, are the second most likely cause of a serious security breach, second only to malware. In addition, in 46% of cybersecurity incidents in the last year, careless/ uniformed staff have contributed to the attack.
Whereas technology gets updated and improved upon all the time, our ‘human operating system’, or the way we make decisions and react to our emotions hasn’t been upgraded in thousands of years. We are non-binary, emotionally driven beings who can be manipulated into feeling a low-grade form of fear which in turn will suppress our critical thinking, resulting in poor decision making, spoke Anna Collard, MD of Popcorn Training during an interview.
Human hacking technology
How do cybercriminals successfully infiltrate security through people? Cybercriminals make use of psychological tricks to literally ‘hack’ our emotions. Their aim is to trick us into revealing information, install malicious software or unknowingly participate in their scams.
They use a combination of tactics such as researching and profiling their victims on social media (a technique called pretexting) and making use of subtle but effective psychology levers to get their targets to do what they want. The three most widely used levers are fear, flattery and greed. These can be delivered via targeted phishing emails, text messages or in-person and via the phone, spoke Anna Collard.
The most common example being downloading a malicious file, that would release malware into the internal network, which can slowly leak private and confidential company documents.
The use of AI technology is making these types of attacks more powerful and automated. For example, AI is able to send targeted messages based on the information learned about the target online and then leave human-sounding voice messages to urge the person to react to the email.
Deep fake technology has also been used in impersonation attacks, for example when copying the voice of a CEO instructing someone to authorize a fraudulent wire transfer or invoice payment.
People-centred cyber security
The first step is recognising that although technology should prevent the majority of attacks, it is only one layer of the defence and people make up an important pillar of the overall security program, said Anna Collard.
First it is required to have strict security policy. Kaspersky found that concerns about the inappropriate use of IT by employees vary considerably according to company size, with very small businesses (with 1-49 employees) feeling more at risk from this threat than enterprises with more than 1000 staff. This could be due to a number of factors including enterprises potentially having stricter policies in place, and more thorough training for staff on best practice. In addition, very small businesses possibly bestow employees with a greater degree of flexibility in terms of how they use business IT resources.
It’s simply not enough to have an IT security policy in place. A policy, alone, will not protect a business from threats – partly because IT security policies are not always followed by the staff that they are designed for, and partly because they cannot cover every possible risk.
In fact, Kaspersky research shows that an astounding 44% of companies say that employees do not follow IT security policies properly. What’s even more concerning, is that even though two-fifths of businesses have admitted to us that employees do not follow their security policies, businesses are doing little to help solve the problem themselves, with only a quarter (26%) planning to enforce their IT security policies among staff.
People-centred security starts with understanding risks related to human’s interaction with technology and data and understanding where psychological triggers may lead to security incidents. Security awareness shouldn’t be seen as an IT problem but should rather be run as a continuous culture change and communications program, combining both education through engaging and bite-sized content and creative messaging as well as inoculating users by running frequent and highly realistic simulated phishing tests. Why is cultivating a culture of security important for businesses? When all else fails, humans are the last line of defence. They aim Effective security awareness programs can shape behaviour to make security alertness second nature and people can become our strongest security assets.
If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear rules and impose extra responsibility on employees, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies only foster fears, and leave employees with just one option — to avoid punishment whatever it takes.
Apart from improving the organisation’s risk posture, we owe it to our employees and co-workers to educate them and make them aware of the danger of cyber threats to their personal lives and that of their family.
Delivering training to staff is the second most popular method of defense for businesses – second only to the deployment of more sophisticated software and closely followed by increasing the numbers of internal IT or IT security staff.
The Importance of Cyber Literacy and Cyber training
Training personnel and bringing more dedicated staff on board to help enforce security policies is a logical answer to the problem of employee carelessness. And it’s the answer that multiple businesses across the globe are looking to implement.
Most breaches and data exposure stems from human error or sometimes intentional misconduct. In fact, it’s quite common for employees to threaten their organization out of boredom, spite, or phishing scams from hackers. However, most attacks are caused simply by human error.
Without creating awareness and providing deeper understanding of best practice through cyber literacy, any threat mitigation tool or firewall is rendered useless. The threats are coming from your own people.
“Our advice to end-users is to watch out for anything that seems slightly out of the ordinary or is triggering an emotion (both positive or negative). Avoid links and attachments you are not 100% certain of,” said Anna Collard. Even if the message looks like it is coming from internal, if there is the slightest doubt about the tone of the message or the type of request, rather verify with the sender out of band.
Staff training is essential in raising awareness among personnel and motivating them to pay attention to cyberthreats and countermeasures ― even if they are not part of their specific job responsibilities. Installing updates, ensuring that anti-malware protection is on, and managing personal passwords properly shouldn’t always be at the bottom of an employee’s to-do list.
No one likes a boring job. In investing in the cyber literacy of your team, not only shows employees that they are appreciated, but that their professional development needs are seen and met. Any additional training that exposes your employees to other worlds of content is an investment in employee retention and in your company’s success.
Let’s think about another scenario – reducing insider threats through strict security policies. This includes random computer checkups or monitoring of activities done by employees online, which, no surprise, can backfire by decreasing employee satisfaction and productivity. Instead, organizations can and should invest in educating their entire workforce on security threats and best practices.
Security awareness is a little bit like flossing, it needs to be done ongoingly and ensure that users are kept up to date with the latest threats. Luckily there are ways of automating a lot of the process and simplifying the process.
“At Kaspersky Lab, we know that the best way of protecting a business from cyberthreats is a combination of the right tools and practices. In addition to awareness training for staff, protection should include security solutions that make the corporate network more visible and manageable for IT security teams.”
Most of the threats related to unaware or careless employees, including spam, phishing and ransomware, can be addressed with endpoint security solutions. There are tailored products that can cover particular needs of SMB and Enterprise-level companies in terms of functionality, pre-configured protection or advanced security settings.