An organization’s cybersecurity can only ever be as strong as its weakest link and the biggest vulnerabilities of a system are not necessarily found within the hardware or software.
It might be uncomfortable to admit, but employees are still the weakest link in any security defense with human error the biggest challenge to overcome – IBM has been talking about it since at least 2014 when its Cyber Security Intelligence Index reported that 95% of incidents were a result of this. Similarly, CompTIA’s International Trends in Cybersecurity research revealed that human error was the cause of 52% of data breaches in 2015.
Organizations are aware of the importance of having cybersecurity technology in place but hackers exploit human nature, using tactics such as social engineering to gain their trust and encourage them to click on malicious links and enter their details into fake websites. What organizations need to do is educate their employees to spot these tactics.
Commercialized cybercrime
There’s no denying that cybercriminals have heavily commercialized their opportunities, actively targeting people and not systems. The reason for this is that they see people as the weakest link – not because they are ‘incapable’ but because we are curious by nature, often busy, and most tend not to think bad things of other people, resulting in a ‘nothing will happen to me’ mindset.
The stark reality is that these attackers are having massive success worldwide, affecting multiple companies and economies. This is predominantly due to people clicking on links and opening malicious email attachments, visiting websites they shouldn’t be, downloading dodgy software and using the same password across multiple accounts, all of which results in data being breached and identities stolen. If employees were more aware of the dangers, they could easily become the most powerful defense a company has.
This is not to say that technological defenses shouldn’t be in place – they should be – but cybercriminals can access updates on all products in the security market and subsequently edit malware so it remains undetected. They know they can get past the technical defenses, which is why we need to focus on the human factor. For example, Mimecast’s recent Email Security Risk Assessment found that of 45 million emails inspected, 11 million were incorrectly ‘passed’ by their respective incumbent email security systems.
Creating human sensors
Security awareness training is a study in risk and compliance for organizations, and is even more important in light of the impending General Data Protection Regulation coming into force in May 2018. Using phishing simulation tools and cyber knowledge assessment quizzes, organizations can identify where the risks lie and develop a plan of action to mitigate these risks.
With security awareness training, employees are not only aware of what they need to watch out for but also how to follow best practice, as well as being empowered to report anything suspicious. As a result, employees can become a highly effective network of human sensors who will protect themselves both in and out of the workplace.
One large company in the retail industry is reaping the benefits of the human firewall, with a 47% reduction in security incidents following the use of phishing simulations and cyber awareness training – pretty impressive given it was on the receiving end of annual financial losses of over €100,000 per year. Similarly, cyber insurance specialist CFC Underwriting has recently bought access to security awareness tools and training for clients purchasing cyber insurance policies, in an effort to reduce the number of claims made.
It goes without saying that technical defenses such as email filtering, gateways and antivirus are required in this digital age. However, with an ever-increasing number of malicious emails getting through these defenses, companies need to invest in their human firewalls to effectively protect their networks. The human firewall is a proactive – and pre-emptive – approach to cybersecurity and without such a strategy, the cybercriminals have already won.