It often feels like no matter how advanced IT security systems
have become over the years, the barrage of cyberattacks
continue relentlessly. An often-cited reason for this is hackers aren’t resting on
their laurels. They are constantly looking for ways to get around the newest
technical defenses. However, the main reason cyberattacks continue to grow is
that humans — the people you work with — remain the biggest cybersecurity risk
factor. Taking a look at major attacks that have taken place over the years, their success can be
traced to the actions of an employee, contractor, or vendor. There are a number
of reasons why human cybersecurity risk is the weak link in IT security.
You can fool humans
more easily than systems
If an application requires you to provide a
valid user ID and password in order to sign in successfully, it’s going to
pretty difficult to get around that control. You’ll need deep technical
knowledge to circumvent this defense. Yet, you cannot say the same about
humans.
For example, an attacker could use pharming or
phishing to deceive an employee into sharing their user ID and password. They
could create a believable pretext such as a system maintenance issue that
requires employees to provide their login credentials for manual
authentication. The attacker need only gain the employee’s trust and they can
persuade them to share such sensitive information.
Humans aren’t always
predictable
Systems are built on algorithms. These are
rules that determine what action or response the application will take when
it’s provided with certain inputs. In that sense, systems are predictable
except in the relatively rare instance where an unforeseen or unresolved bug
exists. On the other hand, human behavior isn’t always predictable.
Even when an organization has clearly defined
procedures, there’s no guarantee that an employee will follow the rules in the
same way each time. In addition, just because an employee has adhered to
ethical behavior in the past doesn’t mean they’ll do so in future. Good workers
can go rogue. This inconsistency creates a loophole that a malicious third
party can easily exploit.
You can incentivize
humans to bend the rules
Systems are rigid and only respond to inputs
provided. There’s talk of artificial intelligence and machine learning in future giving
systems a dynamism that mirrors human intelligence. But even with that, it will
still be necessary to hard-code in AI/ML systems certain rules that they cannot
deviate from. Humans respond to stimuli. That includes monetary and
non-monetary incentives.
So a hacker could offer a member of staff a
sizable financial reward if the employee would be willing to extract and share
confidential information from the organization they work for. A worker in
financial distress could easily succumb to this temptation.
Humans suffer fatigue
Robots have rapidly taken up much of the
automobile manufacturing process. They do not need breaks or sleep like human
workers do since they do not become tired from work. All they need is scheduled
maintenance and they will work like clockwork 24 hours a day, 7 days a week.
Humans, though, do suffer fatigue.
If you are a customer service representative
who has to work through 150 or 200 phone calls every day, your alertness and
mental fortitude at the start of your day is certainly not the same as your
state in the last hour of the day. Fatigue inevitably sets in and with that
comes a loss of concentration and a heightened risk of error.
In fact, many fraudsters know this and will
call in the last half hour or so when they know employees are looking forward
to leaving work. It’s at this time that workers are most likely to
inadvertently disclose sensitive data.
Humans make mistakes
Policies and procedures are meant to provide a
baseline that guides employee behavior within an organization. But humans are
innately error-prone. Plenty of cyberattacks that rode on the human
cybersecurity risk factor were successful not because an employee or vendor
deliberately wanted to break the rules. Instead, they exploited human error.
A classic example is an employee who forgets
to log out of the company network when they leave their workstation at the end
of the day. An office cleaner, a rogue coworker, a remote attacker, or someone
else with malicious intent could easily use that opportunity to access and
extract valuable information.
Humans forget
When an organization first hires and briefs
newly recruited workers on what their role is, they’ll usually share a copy of
the procedure documents the new staff must follow when discharging their
duties. In the first couple of weeks and months of work, they’ll religiously
refer to these documents whenever they need to do anything.
Over time though and as they get comfortable
with their mastery of the process, they’ll refer less and less to this
documentation. This is where forgetting a step or two could wreak havoc on the
company’s cybersecurity. A member of staff might for example forget to encrypt
a sensitive document before emailing it to a client thereby creating
opportunity for an attacker to intercept the data.
Humans love shortcuts
The world has progressed because humans have
over millennia continuously sought ways of doing things faster and with less
physical effort. Think about any major invention in human history and you can
see a quest to improve efficiency. Unfortunately, this longing for convenience
and comfort can also have negative consequences.
For example, an employee must never write down
a password or create one that is easy to guess. Despite this, people still
write down their passwords and place the paper somewhere within reach of
passersby. Employees will also go with easy to crack passwords like 12345, password101, password123, etc. These shortcuts create control gaps
that a malicious third party could easily take advantage of.
Control the human
cybersecurity risk factor
Ultimately, your biggest defense against the
human cybersecurity risk is employee training and awareness. Knowledge will help
your workers have a greater appreciation of their role in keeping the
organization’s systems and data safe from unauthorized access and use. It
ingrains security consciousness in their everyday work routine.
0 Comments