Cybersecurity is an exceptionally misunderstood concept by both employees and employers – just decades ago it was little more than a myth to the public. With the growth of the internet age, awareness has slowly emerged and cybersecurity has been brought to the forefront. However, there is a central element of cybersecurity that can sometimes be ignored: humans are often the weakest link in the chain. And, as the old proverb goes, you are only as strong as your weakest link.
A 2018 report has found that 88% of data breaches in the UK were actually caused by human error. Indeed, as far back as 1999 unsuspecting individuals have been targeted by attackers, with the Melissa virus causing $80 million in damages by infecting Microsoft Word documents. The virus was disguised as a harmless email attachment that wreaked havoc when opened by victims. Another report found that 78% of security professionals believe that the biggest threat to endpoint security is employee negligence in security practices.
Weak or Unprotected?
It is important to realise that employees that fall victim to these attacks are not acting carelessly. These attacks are thoughtful, clever and targeted. They are designed, through social engineering, to prey on vulnerabilities and use techniques they know will have a high rate of success. They will use authority figures and uncertainty to convince employees that they are doing the right thing. Or, they will design their attacks to look commonplace so that employees act simply on habit.
A 2016 study by Agari, a leading cybersecurity company, showed that 60% of enterprises became victims of social engineering attacks in 2016. From these attacks, 65% of employees credentials were stolen and 17% of the companies’ financial accounts were breached. Social engineering attacks, the report explains, rely on human interaction and fraudulent behaviour to trick or deceive targeted employees into performing harmful actions. They are the fastest growing security threat for companies today, says Agari.
Chief Scientist for Agari, Dr Markus Jakobsson, explained that they “expect to see a catastrophic growth of these types of attacks in the future, fuelled by both their profitability and the poor extent to which businesses are protecting themselves, unless these organizations begin taking the necessary technology-based countermeasures to prevent these attacks”. This technology-based countermeasure echoes the rhetoric of other security experts who believe that humans are indeed not the weakest link in the chain, but rather technology.
For example, Theresa Payton, CEO of Fortalice Solutions and former CIO for the White House, suggests that “the time has come to move beyond the security mantra ‘don’t click on email links or open attachments and we’ll all be safer’”. Having said this for 15 years and with attacks on the rise, Payton believes it simply doesn’t work to place the blame and responsibility on employees.
Payton recognises that “from a social engineering standpoint, it has never been easier to trick employees…business email compromise is one of the largest unreported crimes after ransomware.” However, she asserts that technology should be designed to secure the human, with technological safety nets being put in place to protect targeted employees. This would involve processes such as network segmentation, two-factor authentication and hardware authentication devices such as Yubikeys.
When Technology Fails
However, there remains a strong assertion amongst security experts that human error is the weakest link for companies.
Leader of BakerHostetler’s Privacy and Data Protection team, Theodore Kobus says that “no matter what technology we put in place, no matter how much money we spend on protections for the organization, we still have people and people are fallible”. He suggests that, to stem the flow of social engineering attacks, employees must constantly be warned to slow down, stop and consider all emails, and “either walk down the hall or phone to ask a colleague if they sent the email”.
Andrew Beckett, the managing director and EMEA leader for Kroll, mirrors this idea. Beckett believes that “effective cyber security is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks”.
Training and educating employees on what to look for, how to react and double-check the sources is essential. More importantly, employees must not be scared to report their mistakes, as reaction times to these attacks often have enormous impacts. An article by Forbes highlights that cyber awareness is key. As a suggestion, the article puts forward automated training utilising gamification, saving companies huge amounts of money and time. If employees have 24/7 access to training that is interesting and informative, this could make all the difference.
Developing the Strongest Chain
Human error has proven to be the weakest link in the chain when it comes to enterprise cybersecurity. However, companies are neglecting their responsibility to prevent their employees from being targeted using technology safety nets and awareness training.
Importantly, however, companies cannot rely on shiny new technology to protect themselves from clever social engineering attacks. These attacks are particularly hard to stop, as employees growing up in the technology age are accustomed to rapid-fire responses and are programmed to trust emails and answer them quickly.
Companies have a lot of work to do when it comes to shoring up their cybersecurity practices. And this starts from the ground up, from their locks and office security to the education of their employees and the introduction of security programmes. There is no one-size-fits-all approach when it comes to cybersecurity readiness. It requires an enterprise-wide strategy that is tailored to the industry and its culture whilst also accounting for regulatory requirements. Finally, transparency and communication are paramount when responding to breaches, and this must be incorporated into the overall strategy as well.