CYE Insights

Protect Me from Myself: The Human Factor in IT Security

October 25, 2020

Protect Me from Myself: The Human Factor in IT Security

Earlier this year, a CEO at a top European company was sitting in his backyard, writing a work email on his laptop. When he finished, he gave the laptop to his son who sometimes uses it for his browser-based games. During one of the games, an unwelcome window popped up, and shortly after, malware-infected the laptop, granting malicious actor access to the CEO’s private email, keystroke logging, webcam, and more. This scenario is common and holds the potential to put global businesses at risk.

Cyber-security and human nature: polar opposites

People are as simple as they are complex, and even with the most sophisticated cybersecurity solution in place, more than one-fifth of all security breaches can be traced back to reckless or unintentional human behavior. This includes downloading a malicious file or following a link, using weak or previously used passwords, a security misconfiguration, and the list goes on.

Effective cybersecurity requires constant and mindful attention, multistep processes, and time. However, people love shortcuts and rarely think a negative event like a cyberattack could happen to them. This fact makes them a prime target for manipulation, by hackers determined to get into the organization’s network.

22% of breaches in 2019 were supported by human errors

(Verizon)

No business is immune from the risk of the human factor. During a recent cyber-security assessment, CYE sent a phishing email to a client, a highly-skilled cyber-security company, and found that 10%-13% of the company’s 1000 employees had clicked on the link when one was all it took. While there are infinite ways to trick people, the tactic that seems to enjoy the greatest success rate is the use of personal information that relates to basic human desires such as status, money, and sex.

“Phishing emails with titles like “bonuses” or “salaries” get the highest click rates. I remember a particular engagement where an employee ran the malware on 3 different workstations in attempt to view the fake bonus data we had sent.”

– Red Team Leader, CYE

in 2020, the increased remote work triggered by Covid-19 has led to dramatic growth in security breaches. Security is harder to enforce at people’s homes, and home Wi-Fi networks are much harder for organizations to control. Family members living under the same roof, as well as visiting guests, are new threat sources that need to be taken into account. Any device on the home Wi-Fi network can be used to attack and any visitor can be a threat.

3 steps to protecting against the human factor

Investing in the best technologies and products will automate and speed up your security operations, but without a strategic security program in place that includes employee awareness and education, the technology can only take you so far.

1. Make awareness training an integral part of your security program

In a recent phishing engagement carried out by CYE against a US-based bank, nearly 40% of the employees clicked on the URL that was sent to them. After the employees participated in an awareness session with CYE’s experts, their click rates in a later surprise phishing campaign dropped to 0%. The only people who clicked on the URL were new employees, which is why awareness training should be conducted periodically and made mandatory for each individual who joins the company.

Despite awareness training being one of the most effective ways to prevent cyber incidents, it is not a top priority for many organizations.

An email from Stanford University of a phishing attempt
A phishing attempt in Stanford University

2. Take a defense in-depth approach

Mistakes will happen, it’s inevitable. The organizational security program should incorporate a multi-layered approach to cyber-security. The approach must be able to recover after human errors by taking into account a variety of layers including:

  • information security policies
  • physical security
  • network security and systems
  • vulnerability programs
  • asset control measures
  • data protection and backup
  • incident response service
  • cyber insurance

3. Assess your 3rd-party vendors’ cyber-security

Let’s go back to 2017. The malware NotPetya which is considered to be the most devastating attack since the invention of the internet is spreading. It’s making its way from the servers of an unassuming Ukrainian software firm to its global clients, paralyzing their operations, and leading to estimated costs of 10 Billion USD. Today, there is an increased reliance on 3rd-party vendors and suppliers. This reliance, combined with increased network privileges and access to information, has made vendor security assessment of people, technology, and processes, an integral part of an effective cybersecurity program.

Reduce cyber risk throughout the organization with a few simple guidelines

Every employee in the organization has a responsibility to keep it safe. Until your next awareness training yet, we recommend you use and share these easy-to-follow guidelines:

Cleanly separate work and personal users.

  • No password reuse
  • Avoid storing sensitive company data on private cloud services (e.g. Dropbox), use a corporate solution
  • No controlling the work account via a personal account (e.g. personal email as a backup account)

Passwords protect your devices.

  • Enable multi-factor authentication on all internet-accessible services
  • Aim for long passphrases instead of passwords or make use of lengthy randomly generated passwords managed by a password vault

The fewer people have access to your computer, the better.

  • Keep your workstation locked when leaving your desk (WinKey+L for PC; Cmd+Ctrl+Q for Mac)
  • Switch your computer off overnight​
  • Close your laptop camera lid when not in use

Don’t trust networks external to your organization.

  • Avoid using public Wi-F if possible. If you do, consider using a corporate VPN
  • When using someone else’s computer, assume it is being monitored and act accordingly

Lastly, make sure to report to the security team on any suspicious activities, and to attend your organization’s security awareness training sessions.

CYE

By CYE