16 August 2017

Despite growing online awareness, human behaviour continues to be a weak link in the cyber security chain.

 

According to the Ponemon Institute, which interviewed over 400 organisations as part of its 2017 Cost of Data Breach Study, over a quarter of all attacks are the result of negligent employee or contractor behaviour.

Media focus on malicious criminal and insider attackers means that breaches involving innocent employee actions are often less well publicised, even though they can be as equally damaging as other sources of attack.

The biggest vulnerabilities are not necessarily found within programs and applications, but rather with the people who use them.

Opening curious email attachments, setting basic passwords, and even leaving security doors propped open might seem like innocent actions but in reality, they provide exactly the type of opening cybercriminals need to obtain a foothold on your network and steal or sabotage commercially valuable information.

Being ignorant of, or actively breaking, recommend cyber security practices to save time or boost productivity might once have been acceptable in many offices, but given the increasing financial and reputational cost of breaches, such activities can no longer afford to be overlooked.

 

How to mitigate human security risk in your organisation

 

The good news is that the majority of cyber risks related to human behavioural weaknesses can be mitigated with appropriate security education, processes and controls.

Below, we reveal five keys ways your employees can unwittingly compromise your businesses’ cyber security and preventative steps you can take.

 

1. Clicking on unverified URLs or email attachments

 

Social engineering is a common tactic used by cybercriminals to trick your employees into opening files or clicking links that trigger the installation of malware or fool recipients into sharing sensitive information. Malicious payloads are often attached to, or included within, personal emails purporting to be from known organisations, such as suppliers or clients. Business Email Compromise (BEC) attacks are a form of social engineering aimed at tricking corporate executives into wiring financial payments.

According to a recent report, nearly two thirds of malware is installed via malicious email attachments (Verizon, 2017 Data Breach Investigations).

Top prevention tips:

  • Copy and paste ULS into a browser rather than clicking on them directly
  • Don’t share important details over the phone or via email.
  • Scrutinise emails for giveaway signs like spelling errors or inaccuracies
  • Check that the sender and reply addresses of an email are the same
  • Seek secondary reassurance if asked to do something that has a financial impact
  • Conduct a simulated social engineering attack to test employee awareness

 

2. Setting weak passwords

 

Cracking a basic six-character password takes a hacker, on average, just a few minutes. Enforcing a strict organisation-wide password policy to avoid making it easy for attackers to assume a user’s network identity and permissions is therefore essential.

A recent study found that over 80% of hacking-related breaches leveraged either stolen or weak passwords (Verizon, 2017 Data Breach Investigations Report).

Top prevention tips:

  • Enforce a strong corporate password policy utilising uppercase, lowercase and special characters
  • Encourage uses to create unique passwords by sharing awareness of password generation techniques and tools
  • Leverage SIEM to monitor for bruteforce attempts and suspicious network activity

 

3. Possessing unnecessary network permissions

To obtain broader access to your organisation’s network and assets, hackers will purposely target employees with the greatest privileges. Some of these personnel could be lower level users with network access rights that exceed their day-to-day requirements.

Top prevention tips:

  • Enforce a strict access policy that limits user privileges as far as possible
  • Encourage system administrators to only turn on admin rights when needed
  • Regularly review and update credentials to reflect job role changes and leavers
  • Ensure that remote employees, subcontractors, third-party vendors and partners are included in administration policies
  • Avoid or limit instances of employees sharing generic account credentials

 

4. Downloading harmful files and software

 

Employees with internet access may often download files and software from the internet which may, on the face of it, look harmless but contain malicious actors, such as trojans, or weaknesses that if left unpatched could later be exploited.

Top prevention tips:

  • Raise awareness of downloading files from untrusted sources
  • Block access to torrents and suspect websites
  • Where possible prevent users from downloading and/or installing new software
  • Conduct daily system backups
  • Perform regular vulnerability scans to detect out of date software and applications

 

5. Connecting removable devices to company networks

 

IT security trends such as cloud computing and BYOD have led to employees using their own devices in and around the workplace. Unsecured devices being connected to WI-FI and plugged directly into company networks are just two in a line of related security risks that can leave your organisation exposed.

Top prevention tips:

  • Operate a separate, segregated Wi-Fi network for use by guests and employees using personal devices
  • Raise awareness of downloading files from untrusted sources
  • Limit the number of available USB ports to prevent users from plugging devices into networked systems
  • Use a SIEM tool to detect and alert when USB drives are connected to a host
  • Utilise endpoint protection to hunt for, detect, and eradicate threats from hosts

 

Summary

 

Without appropriate measures in place, human behaviour will continue to present a significant risk to your organisation’s cyber security. With the right policies and tools however it’s entirely possible to protect your organisation from damaging actions that are both intentional and unintentional in nature.

Improving awareness of risks and encouraging all employees to take an activate role in maintaining ongoing cyber security is a good first step to help reduce acts of human error. When backed by effective processes and technical controls capable of detecting and responding to threats, your organisation will benefit from a significantly improved cyber security posture.

Discover Redscan’s full range of services

Read more:
Why a simulated cyber-attack can help to test the effectiveness of your security investments
What is a penetration test?

 

back to all posts