
20 Sep The weakest link in any organisation’s cybersecurity chain is employees.
The weakest link in any organisation’s cyber security chain
Running a simple Google search on the topic returns ‘employees’ or ‘humans’ as the weakest link in any organisation’s cyber security chain.
The COVID-19 pandemic simply made things worse
The workplace changed (most probably) forever after the coronavirus pandemic, with the new normal seeing arrangements such as work from home and hybrid as the order of the day. Although deemed by many as a comfortable working environment, it definitely comes with its own set of issues. Simple questions such as ‘is your home internet connection secure?’, ‘ is your device used by others (even say by your kids)?’ need straight answers, which would need policy updating and enforcing.
At home employees are still accessing and processing sensitive data and are transferring and storing important working files. The vast majority of companies have implemented security protocols along the years, but don’t realise that the biggest threats come from within. Statistics show that the absolute majority of security breaches are pinned on humans – human error or malicious actions.
Employees are most often at fault. Lack of know-how, an ‘anything goes’ organisational culture and overarching lack of proactive approach vis-a-vis cyber security are the most common reasons for human error which pave the way for security (including data) breaches.
Attackers use sophisticated methods and are aware that humans are the weakest link inside organisations. They target from front-line employees to CEOs and anyone in between. Publicly available data is obtained from public platforms such as LinkedIn. Such data helps attackers personalise attacks to make them as realistic as possible. If an employee is not sufficiently trained and educated in cyber security, they can very possibly fall victim to phishing attempts. Humans are the favourite touchpoint of malicious actors – thus the 95% security breaches blamed on human error.
It is useless for organisations to invest heavily in VPNs, encryption, antivirus and spam filters when they are failing to invest in their people. One has to find a fine line between overwhelming employees with a bombardment of information and leaving info and education scarce. Think before you click and zero trust approaches need to be instilled in workforces – realising that clicking on a link can endanger the organisation, its data, its people, its systems and its business continuity is of utmost importance.
Cyber awareness training is not a ‘once during induction training session’ – it is a regular exercise, since new threats are hitting industries all the time globally. Business leaders and management should start seeing employees as powerful security assets, as shields, rather than risks. Awareness and creativity needs to be nurtured rather than retaliation as a modus operandi. Ultimately it is less painful and less costly.
Focus on People, Processes and Technology
To protect an organisation and its digital assets, cyber security professionals always focus on three core pillars, that is: people, processes and technology. Technology can be flawed and can be programmed with holes, or vulnerabilities can develop when new versions are rolled out or new integrations and interfaces are developed. Fixes and vulnerability patches are to be implemented as soon as they are rolled out by technology providers. Through the use of the latest emerging technologies such as artificial intelligence, algorithms are able to discover vulnerabilities in automated fashion.
Processes and procedures are sets of steps that are followed repeatedly for a consistent outcome. Processes do break and require regular reviewing to ensure they are tight. Thirdly people – this is the most complex pillar of the three. People decide and think by themselves – some decisions are good others are simply bad. People are error prone. People are unpredictable. When patterns of the same mistake are seen to be done repeatedly, then procedures and measures can be enforced to avoid or to lower the number of times the error is committed.
Education is key. Knowledge of what can go wrong, what breaches can lead to, what ways and means are utilised by hackers to exploit weaknesses and what to do in case of attack, is vital. HR departments and/or CISOs can also make use of funding schemes to part-finance such training initiatives.
Absorbing and applying cyber security awareness training is as of late being described as cybersecurity IQ. Giants such as Mastercard have even introduced initiatives to keep tabs on who clicks on phishing links simulations. Mastercard calls this initiative SecurIT and its scope is not to point fingers but to organise remedial training accordingly. It helps management understand human risks linked to cyber security.
Common Human Errors
The most common human errors that lead to security breaches include the use of weak passwords, such as repeating the login name (as the password) or using a number sequence like ‘12345678’; using the same credentials in multiple places; weak authentication, normally not MFA and misconfigurations including cloud based ones. Threat actors use the following three types of attacks mostly to exploit human errors: social engineering attacks, dictionary attacks trying to guess weak passwords and malware and ransomware attacks.
Organise cyber awareness training for your employees today. Request a quote. Get in touch.