The Human Factor: The hidden cyber security vulnerability inside every business
10 March 2016 |
Firms spend billions on systems that promise to keep cyber criminals out, but many could be overlooking the biggest threat to their businesses: the employees within their buildings who lose devices, click on dodgy links and open malicious emails.
Just last week Business Reporter covered a data breach at Snapchat, where an employee was tricked by a cyber criminal pretending to be CEO Evan Spiegel. Although no systems were infiltrated and no user data was exposed, an attacker got away with past and present employees' payroll information because the member of staff fell for a phishing email.
And this is just an example of one of the many ways hackers can target employees. Emails with attachments containing malware are delivered, phone calls are made under false names and poor passwords are exploited. Ordinary workers' carelessness and lack of knowledge are now key points of attack for cyber criminals who want to target firms.
Risky employee behaviour
Three quarters of large organisations suffered staff-related security breaches in 2015, and half of the worst breaches were caused by human error. But even though 42 per cent of executives say their information security training is “very effective” at boosting awareness of risks, just 28 per cent say it is as effective at changing behaviour amongst employees.
Indeed, this applies both in and out of the office. The most popular internet passwords of 2015 were “123456”, “password” and “12345678”, which hardly present a challenge to a determined hacker. And recent research showed that 79 per cent of businessmen and 67 per cent of businesswomen use potentially risky smartphone apps every day.
Other statistics show that nearly nine in ten employees are likely to open a phishing email on the same day they receive it, and in a report published today 77 per cent of CIOs said they are frustrated because although they make secure technologies like encryption available at their businesses, workers simply do not use them when sending data to third parties.
Keep it simple
So with employees’ risky behaviour putting data belonging to businesses and their customers in peril, what can security teams do to help prevent cyber breaches?
Education should certainly be on the agenda, but the key is to make cyber security simple for employees and ensure they can do their jobs. If a security measure obstructs a member of staff in the course of their work, it is likely that they will try to find a way to get around it – one that may employ unsanctioned apps and introduce further cyber risk.
“The key here is to never underestimate the ingenuity of users,” said Institute of Information Security Professionals director Andy Cobbett at The European Information Security Summit 2016 (TEISS). “They will find a way around it to get the job done… Make it simple. If you lock it all down from the beginning it just makes business hard to do.”
In a similar way, cyber security policies should be easy for employees to read and understand. If staff are given a 50-page document to read, the chances are they will not make it to the end. Instead, guidelines on good practices should be delivered in a short, easy-to-read document that makes it as straightforward as possible for employees to put the advice into action.
“A long, complex policy will be ignored,” said David Topping, COO at Bluesky Secure Enterprise Collaboration, at the same conference. “Users are more concerned with getting the job done. Use easily-understood categories [of data sensitivity] and use examples.”
React and reward
But while it’s one thing for employees to know how to spot a suspicious email or a potentially malicious file, it is quite another for them to know what to do once they have identified it. Businesses must also make it clear to staff what they should do if they detect a threat.
“People, as we know, don’t tend to know how exactly to attend to a threat,” said Professor Pam Briggs, chair in applied psychology at Northumbria University, at TEISS. “But also, in very few companies are they really motivated to cope. They might alert you to an incident, but to what extent do you praise them for alerting you, and is it part of their job description?”
Because of the aforementioned tendency for employees to focus on their core jobs, they must be rewarded and given feedback on their findings by cyber security staff. Otherwise, that vigilant worker who spotted and reported a phishing attempt may not bother to let anybody know in future when a ransomware attachment lands in their inbox.
Employees are currently a weak link, and this is something that cyber criminals know and exploit. It is up to businesses and their information security leaders to ensure that their staff are well-informed, well-drilled and motivated to take action to help to close up this hidden crack in every organisation’s cyber armour and protect their data, money and reputations against attackers.