Who’s Inspecting the Human Element in Cybersecurity?

Posted on

Let’s call it company XYZ. It takes cybersecurity seriously. It has a robust firewall, regularly updates anti-malware, anti-virus and anti-spyware software on every company computer and punctually installs software updates. It also backs up all its data and increasingly relies on analytics to try to stay a step ahead of would-be hackers.

And yet it winds up being breached—ultimately, the victim of an employee error—and has to spend millions getting shipshape again. What went wrong?

This anecdote is apocryphal but nonetheless a realistic description of what happens to many seemingly cybersecurity-astute companies. The problem is the fallible human element, which is not addressed nearly as thoroughly as the technical element in the cybersecurity realm, even though more successful attacks occur because of human mistakes and sometimes malfeasance.

Security is only as strong as its weakest link. But while technology can shore up most things on the security front, it can’t do much about the person sitting in front of a keyboard. Phishing, sharing of passwords, poor patch management, double-clicking on unsafe URLs and organizational access through a personal device are just a few human errors that lead to a security threat.

Many, if not most, sizable companies and government entities provide some type of cybersecurity training for employees who use computers. The hitch, by and large, is that it’s usually not good enough. Among other issues, the knowledge and sophistication of the people being trained vary widely, often undermining training effectiveness. And even the most astute trainees seldom know much about cybercrime.

Some studies have shown that even personalities can determine the odds of setting the stage to get hacked.

In one study, respondents who identified themselves as Type A personalities didn’t believe they were at increased risk by reusing passwords, a risky endeavor, because they thought their own proactive efforts were sufficient. Regardless, there is no question that end users of all stripes fall prey to typical attack scenarios. Too often, they mistakenly visit malware-laden websites, insert infected thumb drives into their machines or do something else wrong.

As bad as things have been for some time, the COVID-19 pandemic has made the situation even worse. A recent research report co-authored by Myers-Briggs, a Silicon Valley business psychology provider, and ESET, a Slovakia-based cybersecurity specialist, found that human error is at the root of a huge spike in cybersecurity risks that has impacted eight in 10 companies during the pandemic.

As it turns out, COVID-19-induced stress unnerves people in their work, as well as personal lives, particularly if they work at home, as tens of millions of more Americans now do. Specifically, the report entitled “Cyberchology: The Human Element” says that heightened stress levels make employees more likely to panic and click on a malicious link or fail to report a security breach.

The human element clearly came into play two months ago when a hacker breached a water treatment plant in Oldsmar, Florida in an effort to poison the water supply. After the fact, government and law enforcement authorities found several shortcomings at the plant.

For starters, the plant was running an outdated Windows 7 operating system, one that no longer offers security updates. In addition, authorities found that staff all utilized the same password for remote access to the plant. And the plant’s computers appeared to be connected directly to the Internet without any firewall protection.

There is a lesson here. Organizations frequently neglect to identify simple interventions that can help reduce the incidence of bad behavior. Some entities purchase technology that tries to sidestep this by offloading human decisions into artificial intelligence and machine learning systems. But such innovations, while clearly helpful, just like humans, are not fail-proof.

Clearly, cybersecurity improvement is needed across the board, albeit much more on the human front.

For example, installing security patches promptly and keeping security up to date is widely considered among the best methods to protect against security attacks. Nonetheless, most employees, even IT administrators, frequently procrastinate. Part of the reason, no doubt, is that update prompts and patches often come when an employee is preoccupied with a higher priority task. Some never get around to taking the required action.

This begs the question of just what better cybersecurity training should look like.

Training programs differ widely. What counts is their value and how well they are implemented in the workplace. By and large, most businesses should focus not only on cybersecurity training in general but on the most relevant dangers they should monitor, whether insider threats, spear phishing, ransomware or something else. Training should be mandatory for all employees, and they should learn how to identify social engineering attacks and phishing schemes and suspicious links in general. In addition, remote workers should be briefed on the dangers of public Wi-Fi.

Companies and other organizations should also recognize that training needs to be front and center constantly, readily cognizant of the latest threats.

Here are other preventive measures that organizations should consider adopting:

+ Beware of BYOD. Bring your own device policies allow employees to use their own mobile devices to perform various work functions and have grown enormously. These can spark huge security issues. BYOD policies should ensure that critical company data is not left vulnerable on employee-owned hardware.

+ Consider denying all access by default. In this case, privileged access is provided only on a case-by-case basis. This can prevent accidental data leaks by employees who aren’t supposed to work with certain sensitive data in the first place.

+ Increase monitoring. An organization-wide security monitoring platform compliments anti-malware, data loss prevention and email security tools, allowing the IT department to mitigate the human factor by picking up signs of abnormal behavior.

+ Consider enhancing training with “live fire” practice attacks—a simulation of the real thing. Mistakes occur in training, as well as nearly every place else. This helps curb them.

The upshot is that organizations must learn to better address employee cyber behavior so that it effectively complements security-based technology. Neither is a magic bullet en route to cybersecurity success. Work on each front must be chronic and must regularly evolve to safeguard data as much as possible in today’s treacherous cyber world.

Human Element

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs