The biggest cyber-security threat to your business is the people within it. That’s right – the same employees whom you rely on for productivity and profits are also a major weakness when it comes to protecting your operations and information.
So-called “human error” is the basis for a whole school of cybercrime tactics like phishing, spoofing, and more. In fact, Australia’s share of global phishing attacks almost doubled in the past year, meaning almost one in four phishing attacks is now targeted at an Australian individual. These social engineering threats don’t rely on clever coding or sophisticated hacking methods – they find it far easier to prey on our common psychological behaviours instead. And even without a malicious actor involved, a careless employee or an overcomplicated procedure (the two often go hand in hand) can result in sensitive information leaking into the public domain.
We must ensure information security takes into account, or even prioritises, the human factor. A number of our customers have been able to avert potentially disastrous breaches by incorporating employees, contractors, and other “wetware” as variables when assessing threats and readiness levels. However, IT pros typically don’t have a whole lot of experience in behavioural psychology (apart from perhaps outmanoeuvring zombies in Doom or Left 4 Dead). When it comes to human security – and avoiding million-dollar breaches that no amount of tech can prevent – we need to go outside the profession while rethinking how we use our current tools.
Let our powers combine
The term “human error” implies a lack of malicious intent. In the vast majority of cases, that’s true. According to IBM’s latest global cybersecurity index, over 95 percent of infosec incidents recognise human error as a contributing factor. Even when it comes to social engineering tactics like phishing, the problems arise only when your employees are duped into clicking on a link or downloading an attachment. Your people may be clueless like Dogbert predicted, but they’re not out to get your business – and therein lies a major clue for how to address the threats they pose.
First and foremost is education. Employees need to know what they’re doing (or thinking) incorrectly, and how they can address this on an everyday level. As smart HR managers will advise, practical demonstrations work better than boring training sessions. One common trick that we see is presenting employees with a series of emails and asking them to figure out which messages are legit; this can go a long way to reducing people’s default overconfidence in their powers of perception. Incentives to do good are also typically more effective than punitive measures. Google’s famous “bug bounties” are a great example of how rewarding (in this case financially) infosec best-practice – and avoiding overconfidence in one’s defences – leads directly to more secure user experiences for everyone.
Apart from HR, IT can also partner with the parts of the business most affected by breaches – a Finance person detailing the costs of the last breach will hit home far more than a simple “don’t plug in USB sticks with pirated software”. IT policies can also support behavioural change through basic restrictions and encouragements (like rules for password complexity, or restrictions on leaky apps and websites). Your employees are far more likely to support these minor inconveniences once they understand the reasons behind them.
Second, IT and HR managers should start talking to executives about day-to-day processes in the business. Over-complex or convoluted routines are less likely to be adhered to, and the same goes for policies that cause friction with staff. For example, if a lot of your employees are using a public-cloud file storage tool like Dropbox (creating a “shadow IT” scenario), you might be better off adopting the platform as an official (and therefore centrally-managed) tool instead of trying to ban access. The IT manager’s goal is to retain as much visibility over the network and be able to step in when something goes wrong. Often, executives will support these sorts of recommendations – particularly when you illustrate the potential costs of simply letting the status quo shamble along.
Keep an eye on things
The third, and perhaps most useful thing IT pros can do is boost their monitoring capabilities. An organisation-wide network or monitoring platform allows you to mitigate the human factor by picking up signs of abnormal behaviour (such as opening ports or downloading from suspicious-looking sites). It also gives you a clearer picture of how your people are using apps and the network. That intelligence can then be used to inform how you educate individuals and shake up processes like we talked about earlier. Your HR colleagues will thank you for it.
Monitoring can also be combined with automated responses that take the human out of “human factor”. A number of email management platforms, for example, scan mail for not only viruses but phishing and malware patterns, remove the triggers for social engineering threats before they get anywhere near employees. Mobile device management software can not only wipe employees’ phones if they report them stolen, but also keep sensitive data in secure containers that have their own highly robust set of defences against breach.
Education and training may be the main defence against human error, but the skilful use of new and existing IT tools can help support employees as they take up arms against cyber-threats and our own natural tendency for complacency. Just like in any videogame, defeating social engineers, careless employees and other infosec enemies requires you to understand their behaviours first. It may not be satisfying as fighting zombies, and it may take a lot longer, but the payoff is definitely worth it.