The Weakest Link in Cybersecurity: You and Everyone Else
Published on August 7, 2019 by David Maher
To Do: Morning jaywalk. Post-lunch swim. After-dinner espresso. Face it, humans are fallible. We do things every day—and sometimes all day—that we know we “shouldn’t” do.
Most people know that they should have strong passwords, that those passwords shouldn’t be reused, that they should be suspect of emails that contain unexpected attachments and that they must be careful when using public WiFi. But time after time, humans prove that they don’t always adhere to best practices. This makes the weakest link when it comes to cybersecurity—us. Criminals routinely seek to exploit individuals rather than systems because they understand just how effective social engineering techniques are on busy, distracted people who might not have cybersecurity at the front of their minds.
It is incredibly easy, and cheap, for bad actors to send out an email that contains a file with embedded malware or that gets you to reset your password on a look-alike fake website to phish for credentials. Once these criminals have gotten you to install the malware or have your credentials, they can wreak havoc on your network. Holding data ransom in exchange for cash or bitcoin, sift through documents for trade secrets or expose sensitive emails and internal discussion to create bad press for your organization. This method is so effective, that 91 percent of cyber-attacks start with a phishing email.
While it would be impossible to entirely eliminate the risk posed by human factors, there are ways for organizations to substantially decrease their risks. Some technologists preach eternal vigilance and that users should consider every website and email suspect. Unfortunately, this is not realistic in the real world, and we know people will slip up. So what does work?
Training and awareness are the first piece in the puzzle. Regular discussion about what a cybersecure environment looks like, both in the office, at home, and on the road is important in workplaces where employees bring their own devices. How organizations approach training is also key. An annual approach to cybersecurity training doesn’t provide regular enough reminders for today’s cyber environment. Short, frequent trainings and reaching out to employees with regular tips and updates as the cybersecurity landscape changes is vital.
Create a “Human Firewall”
Creating a cybersecure culture is also key to combating attacks. Employees must be empowered to be the “Human Firewall” that protects an organization. Helping employees understand the importance of their role in cybersecurity and giving them the tools needed to report incidents and give feedback is key. Even with an optimal cybersecurity system, errors and mistakes will occur and a quick and easy reporting system will help empower employees to flag anything suspicious to the IT team.
Monitor and Respond
Once suspicious behaviors or programs are flagged, it is important that the IT team have an up-to date incident response plan. This plan will help clarify immediate responsibilities and ensure that the correct action is taken to contain and control threats. The incident event details should be recorded to guide future learning, allow for continuous risk assessment and identify areas where additional training is needed.
These components make up some of the best standards-based cyber security programs. The world over, organizations rely on standards-based cybersecurity programs, such as ISO/IEC 27001, the international standard for Information Security Management, that assesses current risk and identify areas for improvement to help secure their networks. This type of approach to cybersecurity also demonstrates that an organization has the necessary controls in place to reasonably and responsibly fulfill its duty of care.
Published by: David Maher - Global Sales and Marketing Director BSI Digital trust
BSI is an accredited Certification Body for Management System Certification and Product certification. No BSI Group company may provide management system consultancy or product consultancy that could be in breach of accreditation requirements.
Clients who have received any form of management system consultancy or product consultancy from any BSI Group company are unable to have BSI certification services within a 2 year period following completion of consultancy.