Humans: Perhaps The Most Dangerous Element of CyberSecurity
Think about how much technology has improved in the last decade, 50 years, or even century. It is startling. Items that were science fiction just a few years ago seem like outdated, obsolete technology today.
Yet, during this period of great technological advancement, the human brain has not changed: it remains essentially identical today to the way it was several thousand years ago. The human-technology dichotomy does not go unnoticed by criminals: Because cybersecurity technologies are rapidly strengthening, whenever possible, parties trying to breach information systems increasingly seek to exploit human weaknesses, rather than carry out strictly technological attacks.
On both a personal and professional level, therefore, it is essential for people to understand the human element of cybersecurity.
Of course, there are risks to information security from hostile external actors – and I have written well over a hundred articles on related topics.
But, another areas that requires focus is internal threats – which are often far more dangerous. First, there are employees gone rogue. And, if you work for a large enterprise or governmental organization, it is a statistical near certainty that some folks working in the organization are not happy and may seek to inflict harm on their employer’s technology infrastructure. To combat such risks, it is important to implement policies and procedures that reduce the opportunity for people to attack the organization, as well as that increase the likelihood that anyone doing so will get caught. If people know that they are unlikely to success with an attack, and are likely to get caught, they will be discouraged from trying. Some techniques to deliver such security were discussed in my prior piece 10 Pointers to Prevent a Data Breach, including ensuring that every user has his or her own credentials to any sensitive systems utilized at work, using security software on all computers and devices housing sensitive information or that are able to access such data, and ensuring that people do not have access to sensitive data and systems to which they do not need access in order to do their jobs. (Obviously, performing background checks when hiring people, and conducting periodic discussions with candidates about their feelings at work, can also be of value.)
But, another aspect of human-originated information security risk is not so simple to address – and that is, human mistakes. Nearly every major breach in recent years, for example, has involved some aspect of social engineering – criminals tricking employees into performing some action that helps the crooks, and harms the victim’s employer. Furthermore, employees inadvertently oversharing information on social media has helped criminals craft especially effective spear phishing emails and other social engineering campaigns. Additionally, few, if any, people fully comprehend all of the elements of the increasingly complex infrastructure of most of today’s enterprises – so configuration errors, some of which may introduce vulnerabilities, can become serious issues.
It is obvious, therefore, that information security training – even for non-technical workers – is essential for protecting organizational data and systems. Training should focus on what employees need to know – resist the need to over-train, as overwhelming people with too much information can lead to them not remembering the things that are actually most important to recall. Also, never rely on training along to prevent a problem – always try to find technology that can help enforce policies and procedures, or warn people if they may be making a mistake. From Data Loss Prevention systems that block emails from leaving an organization if they appear to contain inadvertently (or intentionally) attached sensitive materials, to Real Time Alerts if a user makes a problematic post on social media after drinking on a Friday night, to anti-phishing filters and practice detection systems, to systems that warn about potential regulatory compliance violations of all sorts, to systems that scan configurations for anomalies, technology that addresses human risks should be an integral part of every organization’s information security strategy.
This post was sponsored by Microsoft Office, which, as part of its Modern Workplace series, is offering a free webcast entitled “Cyber Security: The Human Element” on March 7th at 8 AM Pacific. To learn more, please sign up here