printer friendly version

Mitigating the human risk in cybersecurity

There is no end to the news announcements from around the world that yet another organisation has been subject to a data breach or some form of cyberattack which has resulted in the loss of sensitive data, intellectual property and/or money. This is all before one takes into account the also seemingly endless stream of ransomware attacks.

Most people seem to think cyber breaches of this type are the result of some highly technical hacking endeavours by criminals in basements with nothing else to do with their time. While these types of breaches do occur, for most organisations the biggest threat is the human factor. Someone clicks on an attachment or a link that compromises the security of their entire network, or someone shares login credentials for the sake of convenience, etc. And then there are those who have malicious intent and actively work to allow criminals into their employer’s network in the hopes of getting a payday from the criminal proceeds.

The number of products and services available today that are designed to protect against cyber breaches is almost innumerable. But, as the cliché states, the more advanced the protection technologies become, the more advanced the criminals’ attack methodologies become.

Of course, this ongoing battle is only one aspect of the war. The human factor has become the easiest and most profitable way for criminals to achieve their goals.

Anna Collard.

As Anna Collard, senior vice president of content strategy and evangelist at KnowBe4 Africa notes, “in May 2020, the personal records of more than 24 million South Africans and nearly 794 000 companies were handed over to someone impersonating a client. The personal records, identity numbers and addresses of millions of people and thousands of businesses were given to this person because they had fooled the system.”

This was not a hack, but a foolish and preventable mistake. Adds Collard: “It’s a hard lesson in how important it is to embed security not just into the technology and the devices of a company, but into its people. Security is not just the responsibility of IT; it is the responsibility of every single person in an organisation.

“It is critical that organisations create a culture of security in order to combat this increasingly hostile security environment. A successful security culture is driven by leadership, the human resources (HR) department, internal marketing and communication, and ongoing security training. Truly agile and capable security is a people project, not a technology one.”

Chris Ogden, CEO of RubiBlue, echoes this sentiment. “Everyone in the business needs to be accountable for security concerns. Constant engagement and communication with them is critical to ensuring this is executed effectively.”

The three pillars of cyber risk and security

Edison Mazibuko, technical director, DRS, adds that there is no doubt that the cybersecurity of many organisations would be in a much better state if there were no humans involved. “However, we do live in a real world where companies consist of people, processes, and technologies. The balance between these three components is what drives businesses to achieve greater efficiencies.

Edison Mazibuko.

“Technology and processes can always be improved and fine-tuned. The people component is complicated and more involved. We must not make the mistake of thinking security awareness refers only to users not clicking on suspicious email links or preventing tailgating into your building. The human component selects and purchases the technologies, defining the very processes and procedures to be followed in the company. Consider the fact that each human is unique with different mental models. These individuals decide how to respond to events and are faced with hundreds of decisions daily.”

As a solution, Mazibuko advises we take a page out of advertising; they know repetition is one way to embed their message into your subconscious, which leads to automatic brand recognition and product purchases. In similar fashion, security awareness needs to be continuous and not done once a year.

“Consider human nature when designing controls and processes,” he adds. “It comes as no surprise that humans are more likely to do the easy thing than the right thing. Strive for action instead of people memorising facts they will not use – this can make a difference between getting breached or not.”

Examples Mazibuko provides include: instead of telling people they must not use their dog’s name for a password, we must teach them how to form strong passphrases instead of easy-to-forget passwords that end up on sticky notes anyway. Where possible, he says multi-factor authentication should be implemented for stronger security.

Expanding on the above, Henk Olivier, MD of Ozone Information Technology Distribution, adds three factors that should be considered when it comes to people and cybersecurity.

1. One of the first factors is a lack of knowledge and education on the risks. Olivier says companies do try to educate users on potential risks that not all software tools eliminate, for example phishing emails and websites, weak passwords and more. These are basic educational factors that can make a big difference in a company’s cybersecurity posture and organisations must have a cybersecurity policy around the usage of company IT equipment.

2. The software used on a computer can be a big factor when it comes to the risk of a cyberattack, malware infections or ransomware attacks. Companies need to ensure that the software used receives constant security patches and updates.

3. Most employees have a work device that they take home and that gets used by their children or partners from time to time, and most of the computers get used to access other email accounts via a web browser. That can present significant risk.

These are by no means the only risk factors to consider, but are some of the common risks that are ignored and can lead to unpleasant consequences.

Remain people centric

Despite the view many have that cybersecurity is a ‘techie’ thing, effective protection must be part of every employee’s daily processes. Overall, developing a people-centric culture is critical to cybersecurity and even the technology industry as a whole, as advances seem to outstrip understanding.

This is why HR has to be involved with security, notes Collard. “It is fundamental to changing behaviour within the organisation and helping to build a culture that recognises the importance and value of security. It is, of course, also the disciplinary arm that enforces policy and that ensures there are consequences when people continue to break the rules or fall for phishing scams or perpetually do the wrong things.”

She adds that with data protection regulations such as South Africa’s Protection of Personal Information Act (POPIA) in full effect, the cost of an avoidable mistake can result in hefty fines or even imprisonment for the directors of the company. A mistake can be as simple as someone clicking on a phishing email, falling for a social engineering call or unleashing a ransomware virus because they didn’t recognise the risk.

“This is where good communication becomes as essential as good technology,” states Collard.

Creating good cyber-hygiene

Renee Tarun, deputy chief information security officer (CISO)/vice president of information security at Fortinet, describes the best form of defence – education, awareness and potential repercussions – as cyber-hygiene. She offers three steps to establishing good cyber-hygiene:

Renee Tarun.

1. Prioritise cyber-awareness training: In addition to teaching about common indicators of cyber scams (i.e., the promotion of ‘free’ deals), these training offerings should also feature simulated phishing exercises designed to test knowledge and determine which employees might need more assistance.

2. Create a partnership between the security team and other departments: When employees know what is expected and feel like they are a part of the team, they are more encouraged to follow best practices and help chip away at the behaviours that cause accidental insider issues, such as forgetting to change default passwords or neglecting to use strong passwords or other strong authentication mechanisms like multi-factor authentication and mobile application tokens.

3. Establish straightforward best practices: Even once employees are made aware of what to look for in the case of a social engineering attack, they may still need some guidance when it comes to next steps. While it is easy to ignore or delete a suspicious-looking email, what about those that appear normal that the receiver is still unsure about? In this scenario, CISOs should encourage employees to ask themselves certain questions to help make the right judgment call: Do I know the sender? Was I expecting this email? Is this email invoking a strong emotion like excitement or fear? Am I being told to act with urgency?

Everyone wished there was a silver bullet that could secure their systems from cyber risks, but in the age of the Internet this is not an option. Apart from technical solutions, employers need to develop processes to educate their staff, create ongoing awareness and assist them in identifying and dealing with anything they perceive as a risk – even if it means calling the IT department and being on the receiving end of eye-rolls and exasperated sighs.

“Success will depend entirely on the level of stakeholder buy-in, the depth of the training and a commitment to ensuring that the training is ongoing and measurable,” concludes Collard. “Security training has to be iterated and repeated constantly to ensure that people are always kept aware of its importance and any changes in attack vector or threat. Only by keeping security top of mind, all the time, can an organisation truly embed a culture that’s capable of staying secure and alert.”

Share this article:

Further reading: