Expert Insight
Mitigating Cyber Risk by Cultivating a Culture of Openness
Cyber risk poses a threat to every business. Jesper Johansson, chief information security officer at Yubico, discusses the risk posed to organisations by social engineering attacks and how best to counter it
Humans are the weakest link in any security chain. It’s a longstanding business message, and with good reason.
Swathes of surveys and studies have concluded that staff are ultimately responsible for the vast majority of enterprise cybersecurity incidents, whether through clicking on compromised links, opening infected attachments, misconfiguring vital security tools, bringing in unpatched equipment, setting easily crackable passwords, or — in a small minority of cases — undertaking malicious activity themselves.
To cite just a few, Experian’s ‘Managing Insider Risk through Training and Culture’ report shows that 66% of data protection and privacy training professionals think their employees are indeed the ‘weakest link’.
84% attendees at Black Hat USA 2017, whose organisations had suffered cyberattacks, attributed those in part to human error. And, global brokerage firm Willis Towers Watson has claimed that it can trace a whopping 90% of cyber insurance claims back to some form of human error or, occasionally, deliberate behaviour.
So, as an IT department, how do you circumvent these issues commonly caused by the one thing (people) you don’t have absolute control over? The message is clear: strengthen your staff.
Organisations that take cybersecurity and data protection seriously need to take employee awareness and training seriously. While many people claim, not completely without evidence, that people can’t be trained in security, the reality is that you can train them to seek out help when needed.
As the proverb goes, you just need to train them to fish, not to cook.
Equip Your Team
A solid foundation of security tools and technologies are essential. Staff cannot be expected to be successful gatekeepers for your organisation’s data and applications if they are not supported with the proper tools to do so.
Get a password manager in place with licences for all employees. Offer up-to-date anti-malware software. And select vendors — when possible — that provide strong authentication options.
Train Your Team
Equipping your team isn’t enough. Make sure your team is aware of how to use the tools they’ve been provided with.
Consistent and clear communication is key for this. Whether it’s a regular email that is sent out on security updates / actions employees should be taking, or holding in-person trainings, employees need constant reminders of what they should be doing, how to do it, and to stay vigilant.
“You need to make sure that your team understands what you’re asking of them and why.”
You also need to make sure that your team understands what you’re asking of them and why. For example, they won’t be much help in reporting a phishing email if they don’t know what it looks like, or what the potential consequences could be of a successful phishing attack.
They need to be able to ascertain when it’s okay to open an attachment or click on a link, or to understand what it looks like when their username and password has been compromised.
Most importantly, enterprises must be aware that a great deal of human error stems from staff falling victim to highly tailored attacks – that is, attacks which draw on personal information or individual context to manipulate the target into taking a misstep.
Guide Your Team
Do not neglect the processes and policies required to help your employees be successful security advocates. Set up clear instructions on how to report suspicious security incidents, including where employees need to report them and to whom.
You may wish to provide them with a contact card with important information to keep in their bags or on their lanyards.
Empower Your Team
Most importantly, create a culture of openness. Every enterprise cybersecurity strategy must assume that something will always, if occasionally, slip through.
Staff training and awareness must go beyond helping employees mitigate attacks in the first place, but also make people feel comfortable enough to speak up about the issue or take ownership of a potential security misstep.
Creating a culture of ownership is vital in a strong security architecture. Positive ownership of human error acknowledges that everybody makes mistakes — indeed, that human error is a characteristic part of any organisation — while also understanding that it is important to learn from said errors, and put processes in place to prevent the same ones from being made over and over.
“Creating a culture of ownership is vital in a strong security architecture.”
The future of social engineering and human manipulation is likely to be ever more sophisticated. The rise of machine learning and artificial intelligence means that it is getting easier for malicious cybercriminals to develop highly targeted attack techniques — ones which learn from their own successes and failures, and propagate rapidly.
It is therefore essential for organisations to be able to stop the spread of social engineering as fast as possible, and this depends on people and processes as much as tools and technology.
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
Share
Share this article
