There is hardly a day when we do not read or get to know about cyber-attack, cyber- crime, security breach, zero day attack or identification of a new vulnerability.
We have seen every year the security budget and spend on the security is increasing and still, organizations are getting breached. Most this money goes to implement and manage technologies and often the weakest link in the chain that is people who are creating, accessing the data are ignored.
Kevin Mitnick, “The World’s Most Famous Hacker” quotes
“Companies spend millions of dollars on firewalls, encryption, and secure access devices, and its money wasted; none of these measures address the weakest link in the security chain.”
Organizations are putting their reputation and competitive advantage at risk by not addressing the ‘human factor’ in cyber security the way it needs to be tackled.
In recent months we have witnessed devastating ransomware attacks, the security awareness survey conducted by the Cyber-threat Defense Report , one of the key finding was “low-security awareness among employees” was the biggest inhibitor to network security.
The IBM X-Force Research report, Ransomware: How Consumers and Businesses Value Their Data, indicated that only 31% of U.S. consumers have heard of ransomware.
“Despite organizations continuing to invest heavily in technology to better protect their precious information and systems, the number and scale of attacks continues to rise as they discover there is no ‘silver bullet’ to help them to achieve their desired level of cyber security,” said Nick Wilding, head of cyber resilience best practice at Axelos.
Businesses are severely underestimating the “human factor” of employee behavior in corporate cyber risk, according to research from Axelos, a joint venture between the UK government and Capita.
How the lack of awareness Impacts?
- First reason is phishing emails, these attacks are great example of how the attackers are taking advantage of weakest link in the chain i.e. humans
Most of the malware, ransomware are spread hidden within Word documents, PDFs and other files normally sent via email. The e-mails are drafted in such a way that the receiver will get lure to click on the link provided in an e-mail or open the attachment. Once the document is open or link has clicked the malware hidden in the file or link gets downloaded and exploits the vulnerability and starts spreading laterally.
- The second reason is a misuse of the BYOD or organizational provided devices, as organizations are allowing employees to use these devices to perform personal activities as well execute organizational tasks, organizations have to put a lot of trust on the employees.
The Survey conducted by Wombat earlier this year identifies the employees use the corporate laptop for their personal use. Following chart provides the details for what purpose they are used.
In the same survey when asked What employees do with corporate laptop the response is as follows
The employees who are not well trained for the security awareness can connect the corporate laptop to the unprotected Wi-Fi network like in restaurants or on the air ports, which may infect these laptops and back in office can spread the infection.
- The Third reason is social engineering – The attackers take the advantage of human psychology, they call to the help desk or the people who hold the corporate information and create a scene of panic to get information.
For more information on social engineering
If your employees are not well trained to follow the processes before disclosing any information, they are getting tricked can fall the prey of these ticks and provide important information ranging from who is in charge of managing specific asset to the user name and password to access the same asset.
What can be done?
Many organizations have employee awareness programs which they run on the regular basis, but these programs lack in impacting the users to change their behavior.
Not only run the awareness programs regularly but make sure that these programs include following points :
- Use appropriate material for training, which will engage your audience
- Collect the appropriate metrics regularly – Changes in behavior of employees before training and after training
- Have reasonable expectations – humans cannot change overnight and hence you need to provide awareness on regular basis
- Training program should not be always presentation based, have newsletter, flyers, questioners, etc. to keep security always on the top of their mind
- Have surprise test for testing your employee’s awareness and link reward points to passing these tests.
