Humans are the Weakest Link

Humans are the weakest link in information security. Giving someone access to information systems involves an element of trust. Watch this video about how people, not machines, are the biggest concern in cybersecurity. Then, read this article, which describes how humans the last line of defense for an organization. How can people, either intentionally or unintentionally, expose their organizations to risks?

Cybersecurity threat landscape is becoming complex and threatening even with emerging technologies and tightening cyber regulations. Against the backdrop of a complex and growing cyber threat landscape, where 57% of businesses now assume their IT security will become compromised, businesses are also waking up to the fact that one of the biggest chinks in their armor against cyberattack is their own employees.

More than 90% of cybersecurity issues originate from human error within your organization, not externally. In fact, 52% of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk. They worry most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%). 

In the recent WannaCry ransomware epidemic, the human factor played a major role in making businesses worldwide vulnerable. Two months after the disclosed vulnerabilities had been patched with a new update from Microsoft, many companies around the world still hadn't updated their systems. Several cases followed – with non-IT personnel being the weakest link: for example, employees with local administrator rights who disabled security solutions on their computers and let the infection spread from their computer onto the entire corporate network, according to Kaspersky. 

Human error on the part of staff is not the only 'attack vector' that businesses are falling victim to. In the last year internal staff have also caused security issues through malicious actions of their own, with 30% of security events in the last 12 months reportedly involving staff working against their own employers. 

While employees can pose a risk to companies, they also have an important role to play in helping protect the companies they work for. When security incidents happen at a business, its important that employees are on hand to either spot the breach or mitigate the risks. However, employees don't always take action when their company is hit by a security incident. In fact in 40% of businesses around the world, employees hide an incident when it happens. 

Humans are the weakest link 

The 'hacking-the-human' or social engineering trend is based on criminals realising that it is increasingly more difficult to breakthrough sophisticated security technology, whereas it is comparatively simple to trick an unexpecting person to open up a potentially malicious attachment, click on a link or part with sensitive information. 

According to security software company Trend Micro, a staggering 91% of successful breaches started with attacks that were focused on the weakest link in the security chain – people. Even more alarming, it can take years to discover insider threats because they are so hard to detect and many of which derive from lack of cyber literacy. 

Humans are often blamed for being the weakest link the cybersecurity chain – and without the right level of awareness and training, this is certainly the case. 88% of the 2018 data breaches reported to the UK Information Commissioner's Office in 2018 were based on human error. 

Staff may make mistakes that put their company's data or systems at risk – either because they are careless and accidently slip up – or even because they do not have the required training to teach them how to behave appropriately and to protect the business they work for. 

Careless or uninformed staff, for example, are the second most likely cause of a serious security breach, second only to malware. In addition, in 46% of cybersecurity incidents in the last year, careless/uniformed staff have contributed to the attack. 

People-centred cyber security 

The first step is recognising that although technology should prevent the majority of attacks, it is only one layer of the defence and people make up an important pillar of the overall security program, said Anna Collard. 

First it is required to have strict security policy. Kaspersky found that concerns about the inappropriate use of IT by employees vary considerably according to company size, with very small businesses (with 1–49 employees) feeling more at risk from this threat than enterprises with more than 1000 staff. This could be due to a number of factors including enterprises potentially having stricter policies in place, and more thorough training for staff on best practice. In addition, very small businesses possibly bestow employees with a greater degree of flexibility in terms of how they use business IT resources. 

Its simply not enough to have an IT security policy in place. A policy, alone, will not protect a business from threats – partly because IT security policies are not always followed by the staff that they are designed for, and partly because they cannot cover every possible risk. 

In fact, Kaspersky research shows that an astounding 44% of companies say that employees do not follow IT security policies properly. What's even more concerning, is that even though two-fifths of businesses have admitted to us that employees do not follow their security policies, businesses are doing little to help solve the problem themselves, with only a quarter (26%) planning to enforce their IT security policies among staff. 

People-centred security starts with understanding risks related to human's interaction with technology and data and understanding where psychological triggers may lead to security incidents. Security awareness shouldn't be seen as an if problem but should rather be run as a continuous culture change and communications program, combining both education through engaging and bite-sized content and creative messaging as well as inoculating users by running frequent and highly realistic simulated phishing tests. Why is cultivating a culture of security important for businesses? When all else fails, humans are the last line of defence. They aim Effective security awareness programs can shape behaviour to make security alertness second nature and people can become our strongest security assets. 

If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear rules and impose extra responsibility on employees, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies only foster fears, and leave employees with just one option – to avoid punishment whatever it takes. 

Apart from improving the organisation's risk posture, we owe it to our employees and co-workers to educate them and make them aware of the danger of cyber threats to their personal lives and that of their family. 

Delivering training to staff is the second most popular method of defense for businesses – second only to the deployment of more sophisticated software and closely followed by increasing the numbers of internal if or IT security staff. 

The Importance of Cyber Literacy and Cyber training 

Training personnel and bringing more dedicated staff on board to help enforce security policies is a logical answer to the problem of employee carelessness. And its the answer that multiple businesses across the globe are looking to implement. 

Most breaches and data exposure stems from human error or sometimes intentional misconduct. In fact, its quite common for employees to threaten their organization out of boredom, spite, or phishing scams from hackers. However, most attacks are caused simply by human error. 

Without creating awareness and providing deeper understanding of best practice through cyber literacy, any threat mitigation tool or firewall is rendered useless. The threats are coming from your own people. 

"Our advice to end-users is to watch out for anything that seems slightly out of the ordinary or is triggering an emotion (both positive or negative). Avoid links and attachments you are not 100% certain of", said Anna Collard. Even if the message looks like it is coming from internal, if there is the slightest doubt about the tone of the message or the type of request, rather verify with the sender out of band. 

Staff training is essential in raising awareness among personnel and motivating them to pay attention to cyberthreats and countermeasures – even if they are not part of their specific job responsibilities. Installing updates, ensuring that anti-malware protection is on, and managing personal passwords properly shouldn't always be at the bottom of an employees to-do list. 

No one likes a boring job. In investing in the cyber literacy of your team, not only shows employees that they are appreciated, but that their professional development needs are seen and met. Any additional training that exposes your employees to other worlds of content is an investment in employee retention and in your company's success. 

Let's think about another scenario – reducing insider threats through strict security policies. This includes random computer checkups or monitoring of activities done by employees online, which, no surprise, can backfire by decreasing employee satisfaction and productivity. Instead, organizations can and should invest in educating their entire workforce on security threats and best practices. 

Security awareness is a little bit like flossing, it needs to be done ongoingly and ensure that users are kept up to date with the latest threats. Lucidly there are ways of automating a lot of the process and simplifying the process. 

"At Kaspersky Lab, we know that the best way of protecting a business from cyberthreats is a combination of the right tools and practices. In addition to awareness training for staff, protection should include security solutions that make the corporate network more visible and manageable for IT security teams".

Most of the threats related to unaware or careless employees, including spam, phishing and ransomware, can be addressed with endpoint security solutions. There are tailored products that can cover particular needs of SMB and Enterprise-level companies in terms of functionality, pre-configured protection or advanced security settings. 

Source: Rajesh Uppa,
Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License.

Last modified: Thursday, April 15, 2021, 2:37 PM