Cybersecurity experienced multiple challenges in 2020. Rapid digitalization and the new normal — work from home — brought new opportunities as well as risks. Cybercrime is maturing, and hackers are capitalizing on the pandemic by compromising health care institutions working on developing the COVID-19 vaccine. And though ransomware and phishing emails are considered some of the major threat vectors disrupting cyberspace, human error is still the primary reason for major cybersecurity breaches.
By Pooja Tikekar, Feature Writer, CISO MAG
According to the World Economic Forum’s “Global Risks Report 2020,” cyberattacks rank first among global human-caused risks. Let’s accept it, to err is human. However, human error in cybersecurity is often disregarded. So, what can be done to improve and strengthen an organization’s cybersecurity posture? The only way out is to address an employee’s cyber behavior or psychology to prevent mistakes before they turn into data breaches or possible financial losses.
THE RED FLAGS
The recurring human error that has wreaked havoc is the use of guessable passwords. “Password,” “123456,” and “Hello123” are some of the most used passwords that have accounted for multiple brute-force attacks. Users also fail to change the default passwords like “admin.”
Lack of understanding could lead to the mishandling of sensitive data or security information. Employees also accidentally send emails to the wrong recipients or share critical data through unsecured servers.
|Delay in Updates or Patch Management||
When software developers discover a vulnerability, patches are sent out to all end users. However, a delay in installing updates or patches may cause dire security consequences.
|Downloading Attachments from External Sources||
One of the easiest ways to phish users is via malicious email attachments. These emails are often composed of poor grammar or illogical sentence structures, and the sender’s identity may not match the purpose of the email.
While addressing the red flags, it is important to understand that data leaks are often a result of inaction or unintentional actions by employees or users. Sure, the cost of a data breach by human error is low compared to the cost of a breach caused by a threat actor, however, employee negligence cannot be overlooked.
Recently, Vertafore, a provider of insurance software, disclosed that an unknown threat actor group illicitly accessed the personal information of 27.7 million Texas-based drivers who use Vertafore’s services. Vertafore admitted that the data breach was caused due to a human error after three data files were inadvertently stored in an unsecured storage unit. In September 2018, the Information Commissioner Office (ICO) slapped Equifax with a fine of £500,000 ($660,000) for failing to protect the personal and financial data of customers. The ICO, which carried out the investigation, stated that the U.S. Department of Homeland Security warned Equifax about the vulnerabilities in its systems, in 2017. However, Equifax failed to implement the required measures to fix the vulnerabilities.
Cybersecurity Skills Gap
The cybersecurity skills gap has been a perennial issue and it can only be identified by the state of robust cybersecurity professionals and solutions in an organization. According to a survey by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), the cybersecurity skills crisis has worsened for the fourth year in a row and impacted 70% of organizations. This is implicative of the fact that businesses need a holistic approach towards continuous cybersecurity education, training, and career development. The pandemic has been a dominant force throughout the year and employers need to offer hands-on experience or security certifications for ensuring proficiency and bridging the skills gaps.
Traditional, once a year security training does not solve the problem anymore. Training plans need to integrate aspects of real-life cyberthreats that an organization is likely to face. These programs should end with an exam or an exercise, which in turn will help employers work on the weaknesses of employees that need further assistance. And the training should continue throughout the year with periodic assessments, to ensure that assesses are abreast of the latest developments.
Towards a Human Firewall
- Set up strict compliance guidelines on how to manage emails that come from external recipients. One of the most effective ways is by adding a warning message to incoming emails from external domains.
- Disable or block automatic email forwarding to help control the potential disclosure of information to those outside the organization.
- Encourage multi-factor authentication (MFA).
- Attribute or validate the employees who catch phishing emails. Keep it human.
- Educate employees about social engineering tricks using live demonstrations.
Humans don’t have to be the weakest links. While building a cyber-aware culture, it is essential to eliminate the opportunities that lead to human error. Businesses need to flush out the “one-size-fits-all” policy and start acknowledging and incentivizing positive behavioral changes in employees who commit to security forefront.
There is no denying that technology and human components go hand-in-hand in mitigating threats. Integrating human touch with automation will help create an ecosystem for responding to cyber risks. And though the hype around artificial intelligence and machine learning may drive the misconception that cyberspace is dominated by machines, the human firewall will always be central to security. And the first line of defense!
About the Author