Cyber-attacks are now a daily occurrence, with a third of businesses reporting a security breach in the last year. The focus of breaches tends to be on organised crime, where the methods are becoming highly sophisticated, but one of the major threats to cyber security are a company’s own employees. In truth, a self-reported data breach is 7 times more likely to be a human error than a malicious attack.
How criminals use human error in cyber attacks
Human error attacks usually rely on phishing scams or internet/email link clicks. These kinds of scams are becoming more sophisticated and are using the forms, language and even fonts of trusted companies in order to hide the unauthorised usage. According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, the number of phishing attacks detected in the first quarter of 2018 was up 46% from the last quarter of 2017.
Phishing and social engineering are only part of the problem for human-error based breaches. Many companies allow employees to work on their own phones, tablets and computers – the Bring Your Own Device (BYOD) model. When employees reduce or even remove the barriers between the professional and the personal by having both on the same device, something as simple as a rogue app can mean employees are only one click away from revealing sensitive business information and putting the company at risk.
A collaborative approach is vital
Companies take cyber threats very seriously, but as employees are often the weakest link in the security chain, more training and awareness is needed. Employees at all levels should understand that responsibility for security lies with them and isn’t just “something for the IT department”. Current simulations rarely represent the threat in the real world, as they tend to focus on fault or blame for security breaches and the threats themselves are constantly evolving. Instead, making simulations applicable to how employees work every day and allowing them to take control and identify threats could easily yield better results.
Create an accessible cyber security plan
Expecting all employees to become security experts and avoid every threat is unrealistic. Instead, the aim should be to help them understand how they will be targeted and crucially, that they should be free to ask for help as not all ‘reset your password’ emails will be malicious and not all emails from a bank will be genuine.
With IT department heads struggling to get their employees to respond to notifications of a vulnerability or attack and take appropriate action, teams need to find immediate ways to alert staff to potential threats. Apps such as Workplace (Facebook’s enterprise connectivity platform), that cut through the noise of emails and uninspiring intranets and enable the sharing of security awareness messages quickly, might therefore be a better solution.
Consider ways to make it easier for employees
‘Strong’ passwords, which are lengthy, complicated and full of unusual symbols have been the preferred barrier in recent years, but they may actually cause a bigger problem. In fact, research shows that users are likely to write down trickier passwords, undermining their strength. Instead, organisations should take steps like reminding people what the password structure is before they try to enter it, or letting them look it up instead of only telling them at reset. They could use approaches which let staff set complex but memorable passwords, two-factor authentication or alternatives to passwords to make authentication easier. It is also vital that everyone who needs digital services to fulfil their role can get easy access to them, so they don’t resort to sharing passwords with other people to ‘get the job done’.
What works in the isolation of the IT lab will often fail when it has to be used by real people every day. Collaboration and input when designing these policies can help employees make good decisions and can really help uptake and responsibility for security.
Do you want to make your mark on the future of cyber security? Designed specifically for ambitious professionals, the University of York’s Computer Science with Cyber Security MSc enables you to earn a Masters degree without putting your current career on hold. The course covers topics such as security risk analysis and network and operating system security as well as broader computer science topics such as software development.
It’s 100% online so you can access course material and study any time, anywhere, and on a variety of mobile devices. With six start dates a year to choose from, you can start when you choose and complete the programme within 2 years. There’s also the option of paying as you learn, and you may even be entitled to a UK government-backed postgraduate loan to cover the full cost of the course.