Human Error is the Biggest Cyber Security Threat
Does it surprise you that the main perpetrators of personal data breaches (PDBs) are people? That for the first six months of 2019, 60% of PDBs were the result of human error. What mistakes are we humans typically making? Simple ones such as incorrect disclosure or sending information to the wrong person. Given these numbers, the results from research showing that 95% of IT leaders are concerned about the insider threat are well-founded.
Everyone has the potential to be a hacker
Despite the portrait of hackers in the media and onscreen, the truth is that hackers are often people who either make mistakes or opportunists seeking a bit of fun. Robert Schifreen is a case in point. Robert did not set out to hack Prince Philip’s email account. As he said, “I was testing a modem and was typing in random numbers to see if they worked or not. And one of them did.” Suddenly Robert not only had access, but he also became a system manager. When he informed British Telecom, they did not believe him. Only when he changed their main page did they accept his news. His actions and subsequent arrest and court case led to the Computer Misuse Act of 1990.
Primary areas of weakness
When thinking about how best to ensure the safety of your business, your customers, and your employees, it pays to think outside the box. Look beyond relying on anti-virus software and take a step to consider the situation holistically.
When the ex-CEO of Talk Talk was under the spotlight, he acknowledged that old legacy tech was part of the reason for the attack. Organisations need to consider other vulnerable areas such as the till in the canteen or the software that controls the lifts. Sometimes it is these overlooked technologies that make your company susceptible and easy target.
Ever wondered what the best way to gain access to a locked door is? Simple. Stand outside with both hands holding cups of coffee. Almost immediately, someone will offer to open the door, given that your hands are full. Alternatively, go online and purchase a badge and a high vis vest—both with security written across them— and voilà. I have known people to do just this and get into concerts, conferences, and all for free.
The accidental hacker
Yes. Robert’s story is just one example. There are also countless stories of employees thinking they have permission to perform a task, and suddenly, they have inadvertently opened their company to exploitation. I have heard of incidents where someone utilises an app or tool on the organisation’s website, not realising it was giving people access to their system.
Only training IT employees
All too often, organisations only see the relevance of educating the folks in the IT department. Yes, I know it might be a budget issue. However, given the rising number of attacks plus the hefty fines, it makes good business sense to ensure all your employees know to be aware. Some companies get it. I know of one company where they use gamification to encourage security awareness. The individual who forwards the highest number of phishing emails receives a box of chocolates.
Three steps to take now to increase cyber security protection
Globally, every 39 seconds, there is a hacker attack. We also see the number of malware released rocket daily. In the first six months of 2019, reports show that there was a 55% increase in the internet of things (IoT) malware attacks. Many of these are automated, so I don’t expect to see a decrease in numbers anytime soon. With the odds this high, your organisation must take security seriously.
Start with these 3 essential precautionary tactics:
- Complete a risk analysis, isolate any weaknesses, and address them.
- Test your systems. Send out a fake virus, conduct multiple penetration tests. Establish a separate AWS or cloud account, sit back and watch attempted logins. It also helps to do a little fieldwork yourself. Install canary tokens on your system. Not only will you facilitate reverse-engineering detection, but you will also learn when someone else is on in places they should not be.
- Perform weekly/month security checks. Be sure to include your firewalls log and window logins. I also recommend completing regular physical reviews. Remember a data monitor a quarter the size of a pack of cards can provide remote access. Therefore, I advise walking around and doing a manual check to ensure nothing is where it should not be.
What other ways can organisations increase enhance cyber security?
As with all disasters, it is essential that you have a disaster recovery plan (DRP) specific to what to do in the event of a cyber-attack. I strongly suggest ensuring you have a hard copy in addition to the online version and that employees know where to locate it.
How to stay ahead of the game
The internet is awash with advice and best practices. There are also tons of conferences on the subject now. Also, I recommend completing a Windows Server hardening checklist. Learn how to identify and resolve security soft spots.
Stephen Roberts is the Marketing Director at Skillsoft EMEA.