Cyber attacks disrupt businesses on an almost daily basis – around a third (32%) of businesses have reported having cyber security breaches or attacks in the last 12 months – and they are becoming ever more sophisticated. But while cyber security breaches are often attributed to organised crime, all too often it is the people within an organisation that unwittingly pose the greatest security risk, with research showing that self-reported data breaches are seven times more likely to be caused by human error than by hackers.
How criminals use human error in cyber attacks
Many human error-related cyber attacks rely on social engineering, spear-phishing, and other email and internet-based exploits. With phishing in particular, attacks are becoming more convincing in both mimicking the language and representation of real messages, couched in what look like true communications from trusted brands or even colleagues. According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, the number of phishing attacks detected in the first quarter of 2018 was up 46% from the last quarter of 2017.
However phishing and social engineering are far from the only source of human error-related data breaches. Bring Your Own Device (BYOD) policies – where employees use their own personal mobiles or laptops in the office or when working remotely – invite a whole range of security issues. Malicious or rogue apps being installed on the device, data loss or even physical theft can all give criminals access to a whole host of data and information. BYOD policies can put employees literally one click away from unwittingly exposing their organisation to risk.
A collaborative approach is vital
With the risk of a cyber attack now being classed as the top threat to organisations, it’s clear that current approaches to training and raising awareness need to be re-thought. While the most common approach to security has been to focus on raising awareness of how attackers operate among employees at all levels, such simulations rarely keep pace with the sophistication of genuine cyber threats, and they also often apportion blame and undermine trust. Instead, the right balance should be struck between policy and engagement, to foster collaboration. Those responsible for training in such matters need extensive knowledge of working practices in order to identify weaknesses and introduce policies and procedures that enable rather than hinder work.
Create an accessible cyber security plan
Expecting all employees to become security experts and avoid every threat is unrealistic. Instead, the aim should be to help them spot the common features of deception and establish a culture where users feel able to ask for guidance when something feels suspicious or unusual.
With IT department heads struggling to get their employees to respond to notifications of a vulnerability or attack and take appropriate action, teams need to find immediate ways to alert staff to potential threats. Apps such as Workplace (Facebook’s enterprise connectivity platform), that cut through the noise of emails and uninspiring intranets and enable the sharing of security awareness messages quickly, might therefore be a better solution.
Consider ways to make it easier for employees
When it comes to password security, it is unrealistic to expect staff to remember increasingly complicated passwords. In fact, research shows that users are likely to write down trickier passwords, undermining their strength. Instead, organisations should take steps like reminding people what the password structure is before they try to enter it, or letting them look it up instead of only telling them at reset. They could use approaches which let staff set complex but memorable passwords, or two-factor authentication or alternatives to passwords to make authentication easier. It is also vital that everyone who needs digital services to fulfil their role can get easy access to them, so they don’t resort to sharing passwords with other people to ‘get the job done’.
Security policies developed in isolation are often misaligned with real, shop floor working practices. By making collaboration the norm and using appropriate policies and controls to remove opportunities for humans to do ‘silly’ things, organisations can identify security issues more easily and develop policies that take account of the real ways people work.
Do you want to make your mark on the future of cyber security? Designed specifically for ambitious professionals, the University of York’s Computer Science with Cyber Security MSc enables you to earn a Masters degree without putting your current career on hold. The course covers topics such as security risk analysis and network and operating system security as well as broader computer science topics such as software development.
It’s 100% online so you can access course material and study any time, anywhere, and on a variety of mobile devices. With six start dates a year to choose from, you can start when you choose and complete the programme within 2 years. There’s also the option of paying as you learn, and you may even be entitled to a UK government-backed postgraduate loan to cover the full cost of the course.