Are humans still the weak link in the Cyber Security chain?
I think the answer has got to be a resounding yes.
There will always be black swans and sheep that roll across the cattle grid to freedom and suicidal kangaroos that continue to be killed on the roads in Australia. In any type of environment users will be ingenious and sidestep governance and red-tape to get the job done, and there will always be users that despite how much you tell them not to, will commit suicide by uploading the secret sauce to the Web.
According to the Ponemon Institute the biggest threat to endpoint security is still negligent or careless employees who do not follow security policies and the explosion of Cloud services has not helped this; 77% of security professionals said that departments use Cloud services without the involvement of IT and 83% use free, unsanctioned cloud storage apps like Dropbox and Google Drive. Motherboard reported that in 2016 a staggering number of 70 million stolen Dropbox passwords were circulating online!
There is simply no getting away from the fact that cyber criminals are becoming smarter and human behaviours continue to be predictable and transparent to the skilled eye, particularly when we are busy! Of course, it does help to put processes and training programs in place to try make your staff vigilant and mitigate security risks. Below are the recommendations made by the Government in their Cyber Security Breaches Survey 2017 and the percentage of businesses that they discovered are taking action in these areas.
Proportion of businesses undertaking action in each of the ten steps:
- Information risk management regime – formal cyber security policies or other documentation and the board are kept updated on actions taken 39%
- Secure configuration – organisation applies software updates when they are available 92%
- Network security – firewalls with appropriate configuration 89%
- Managing user privileges – restricting IT admin and access rights to specific users 79%
- User education and awareness – staff training at induction/on a regular basis, or formal policy covers what staff are permitted to do on the organisation’s IT devices 30%
- Incident management – formal incident management plan in place 11%
- Malware protection – up-to-date malware protection in place 90%
- Monitoring – monitoring of user activity or regular health checks to identify cyber risks 56%
- Removable media controls – policy covers what can be stored on removable devices 22%
- Home and mobile working – policy covers remote or mobile working 23%
However, despite this heightened awareness and tightening of procedures by businesses, the government survey shows that there is still a higher number of breaches among those that are taking action to protect themselves.
This begs the questions, could it be that the security market is too focused on historical types and vectors of attack with little to no attention given to real-time tracking and visibility?
It’s time to acknowledge that the market has moved on
Cyber security needs to be ‘as’ progressive, if not more advanced, than its adversaries. We need to understand people and their behaviour – where they log on, the places they visit on the Internet, the usual times they work remotely or how often they use their own device for work. By gaining a contextual, 360-degree view of users’ activities we will be able to rapidly highlight any anomalies.
Point Product & Alert Overload
How are we overcoming the human problem with automation and adaptive intelligence?
Security threats are constantly evolving and therefore leadership responses to human security vulnerabilities must likewise exist in a context of constant evolution. Resistance to change, closer individual scrutiny and human curiosity are inherent obstacles to rolling cyber security improvements – but they are obstacles that must be overcome to ensure the ongoing integrity of the organisation’s security strategy.