Despite all the investment in cybersecurity technologies, all the hiring of technical experts, all the millions spent on expensive security consultants, today’s businesses have made little progress resolving what remains the biggest paradox of information security.
That paradox is humans – and, specifically, the employees that information-security strategies are designed to both protect and empower. CSOs spend untold effort designing and implementing security systems that are both flexible enough to direct employees towards more-productive work methods, and restrictive enough to stop them from undertaking actions – usually accidentally, sometimes maliciously – that could damage corporate data or the viability of the business itself.
Recent figures suggest the struggle to get humans onboard the cybersecurity train is as challenging as ever. Humans are consumers at home and users at work – but seem to fail to differentiate the two environments, with recent survey results from backup vendor Acronis suggesting that two-thirds had never heard of ransomware and a quarter of respondents never backed up their own data.
Such ignorance is endemic within surveys of consumer security awareness. Symantec’s recent Norton Cyber Security Insights Report found that 76 percent of consumers are aware they need to actively protect their information online, but still engage in risky behaviours such as sharing passwords with friends and family. This included millennials who, despite growing up with the Internet, exhibited what the report’s authors called “surprisingly slack online security habits”.
“While there are people who understand that cybercrime is an inevitable circumstance of living in a connected world,” the report’s authors write, “human nature is still at play when it comes to dealing with cyber security. Even past victims of cybercrime sometimes fall back into old habits.”
Recidivism was a key theme at the CSO Perspectives Roadshow 2017, where attending CSOs lamented the challenges they had in getting humans to stop practicing such sloppy cybersecurity practices.
Internal ransomware drills, for example, would often pick up the same people time and again despite their having been repeatedly flagged, counselled, trained, and retrained about how to spot phishing emails. FireEye’s Mandiant Red Team Operations, for one, reported one phishing test in which it 600 faux phishing emails to a client organisation; 400 of the staff clicked on it, many within seconds of receiving it.
Such anecdotal accounts highlight the continuing threat posed by the human element of business – where employees so attuned to clicking on attachments may barely pause a moment before happily opening an attachment that can load ransomware that lays waste to the entire company network.
“Cyber-security initiatives… have not gone far enough to address the real and immediate threat to data leakage – insiders, be they malicious, accidental or negligent in intent,” said Guy Eilon, ANZ country manager with security firm Forcepoint, in a statement marking the release of a recent survey of 1250 cybersecurity professionals that identified chronically deficient mechanisms for detecting human error.
Fully 63 percent of respondents to the company’s survey, entitled The Human Point: An Intersection of Behaviours, Intent & Data, said they only have moderate or slight visibility of critical business data. Some 70 percent said they aren’t very effective at understanding the behaviour of people as they interact with business data, and 84 percent said they aren’t very effective at understanding the intent of employees.
These deficiencies highlighted the ongoing need for CSOs to prioritise the development of better human security mechanisms. “It is critical that industry and enterprise throughout Australia shift towards prioritising the human point of security,” Eilon said.
“It is only with a complete understanding of how, where and why people touch confidential data that businesses will be able to better focus cybersecurity efforts and bring us up to speed on the global stage.”
The insider threat continues. As if it wasn’t bad enough that employees are still inadvertently risking the integrity of business data and systems, businesses are still highly exposed to the malicious activities of insiders that decide, whether through inducement or revenge, to target their employer’s data stores.
Just 12 percent of the Forcepoint survey respondents said they were very or extremely effective at recognising anomalous network activity that suggests potential malicious activity. This, despite the recent influx of baselining and monitoring tools designed specifically to pick up on malicious insiders by spotting unusual changes in their activities.
Those changes may also be indicative of an outsider who has compromised an employee’s credentials, so it’s important not to rush to judgement until an employee can be linked to the activity conducted using his or her account details. The need to close this backdoor has led many companies to implement better account management solutions, which clamp down on the errant granting of administrator rights to users that probably don’t need them.
Some industries are more exposed to malicious activity than others: the IBM X-Force Threat Intelligence Index 2017, for one, noted that 25 percent of attacks on healthcare providers were due to malicious insiders, compared with 46 percent instigated inadvertently.
Financial-services companies had more incidents due to inadvertent actors (51 percent) but just 5 percent of compromises were traced to malicious insiders. These figures were diametrically opposed to the IT, manufacturing, and retail sectors, where outsiders were primarily responsible for threats (in 96 percent, 91 percent, and 91 percent of cases respectively).
Healthcare providers should, the X-Force report’s authors advise, focus on engaging employees using a range of approaches including video, webinars, and in-person instruction. But no matter the industry you’re in, the time where you can expect security without a coherent employee engagement plan is long gone.
Effective management of the human threat requires both carrot – by convincing them to take ownership of data and support efforts to protect their credentials – and stick, in which employee-driven data breaches can be punished by sanction or dismissal. And all such protections must be supported by monitoring and security analytics technology to ensure that such threats are more than empty promises.
“To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention,” said Sean Duca, vice president and Asia-Pacific regional chief security officer with Palo Alto Networks, who offers three key strategies for reeling in a company’s exposure to the human element.
These include (1) incorporating security awareness into the organisational culture through regular employee training and maintenance of a business culture where executives lead by example; (2) moving past a compliance-driven approach, which employees often ignore, by using techniques such as gamification offered by a range of outside phishing-education parties; and (3) restricting the number of employees with administrative access.
“It is incumbent on all employees to take responsibility for their cyber practice,” Duca warned. “By ingraining cybersecurity practices within organisational culture, introducing new ways of training, limiting access to only those with authority, and educating employees to practice safe and secure behaviour online, the cyber risk for businesses can be greatly reduced.”