Are People the Problem with InfoSec?
You’ve probably heard it over the years, humans are the weakest link in the security chain. Reams of articles blame humans for clicking on stuff in an age when we click on everything. We now have this tool at our disposal where the entire system is built on clicking links. It’s even part of everyday office lexicon, ‘…let’s double-click on that for a moment.’ Sure, humans often do bonehead InfoSec things like leaving laptops in unlocked cars, sticky-noting their passwords on the computer, or falling prey to an emotionally charged email requesting assistance.
To err is human and we all make slips and mistakes. But blaming what could be your strongest link and an important part of an organization’s defense is also, a mistake.
Employees are often frustrated with corporate security policies and in general, most people’s primary jobs are not security related. They may not understand the larger implications of their actions. Complex policies that are difficult to comply only leads to risky workarounds in the name of productivity. It’s important to devise security policies that work for, rather than against employees.
According to Gurucul, who surveyed more than 650 IT professionals at the 2019 RSA Conference, almost 75% felt vulnerable to insider threats. Within that, User Error topped the concerns at 39% with malicious insider (35%) and account compromise (26%) following. To pile on, only 34% of respondents felt they were able to detect threats in real time. And 33% are focused on detecting the insider threats after the incident rather than predicting before they occur. Finally, 40% won’t be able to tell at all if data has left the building.
Critical Infrastructure Technology reports that most cybersecurity incidents (both intentional and accidental) are the result of some action by insiders. We’ve seen many incidents over the years where people are fooled into clicking an attachment or deceived into clicking a fraudulent link. Phishing is especially prevalent these days and as F5 Labs notes has proven so successful it is now the top attack vector. In fact, the Anti-Phishing Working Group reports that phishing has gone up 5,753% over the past 12 years. And F5 Labs found phishing to be the root cause of 48% of breach cases they investigated.
What can you do?
Well, there are certainly technologies that can help reduce the threat potential. F5 Labs 2018 Phishing and Fraud Report recommends several defenses, including email labeling from external sources so employees are alerted to proceed with caution. Technologies like anti-virus, web filtering and fraud protection, single-sign on, multi-factor authentication, bot blocking, and even making use of honey tokens – dummy user accounts and email addresses that can be monitored to detect when attackers send out blanket phishing emails. It is also critical to decrypt and inspect inbound and outbound traffic for potential encrypted threats;68% of malware gets its instructions from an encrypted command and control server.
All these can reduce the threat surface but doesn’t eliminate the potential of one sneaking through. Social engineering tactics have been around a long time, well before the internet.
And that’s where training comes in.
Humans are emotional creatures who get comfortable in routines. If they are accustomed to clicking everything, they’ll need help in recognizing what is safe and what is dangerous. Thus, security awareness training is critical. At least they’ll will be aware of the consequences of their over-clicking and be prepared to the artfulness of the attacks. Users should also be urged to report any suspicious emails and verify with IT or Security before running outside software or providing their login credentials.
F5 Labs 2018 Phishing and Fraud Report notes that Webroot testing has shown that the more security awareness training is conducted, the better employees are at spotting and avoiding risks. Those who ran 1-to-5 training campaigns saw a drop of 33% phishing click-through rate; those that ran 6-to-10 campaigns dropped the click-through rate to 28%; and those that ran 11 or more training campaigns reduced the rate to 13%. Also, phishing simulations and campaigns were found to be most effective when the content is current and relevant. This means that companies who don’t conduct security awareness training can reasonably expect users to click on at least 1-in-3 phishing attempts. Training is always cheaper than a breach.
In terms of training, F5 Labs suggests it should be brief, relevant, personal, and solvable. Treat security as a problem that is manageable, but only with the active, informed participation of everyone involved. Security awareness training is the best opportunity to speak directly to all users and encourage them to participate in a shared cause.
Here's a fun one you can try on your friends. Say, ‘I’m a cyber expert and if you tell me your password, I can tell you if it’s secure.’ See how many give you an answer!