Information security awareness – Are the people failing the process or is the process failing the people?
Broadly speaking, information security is held up by three pillars – People, Process and Technology. As threats to our information security (and particularly cyber-related threats) continue to emerge and evolve, we constantly look to technological solutions to help combat these threats, e.g. firewalls, encryption, antivirus, intrusion detection systems, etc. However, it is important to not overlook the other 2 components of the triad: people and processes. It is widely argued that humans (i.e. you and me!) are the weakest link in information security and there can be no disputing the fallibility of Homo sapiens and until the robots eventually take over that will always be the case.
Let us just look at the threats that we insiders bring to our organisation’s information security. How many of these scenarios do you recognise?
- The new staff member who is not aware of company policies
- The guy in Finance who has been here 20 years but hasn’t sat a security course since he first arrived, isn’t aware of the latest cyber threats and thinks phishing is a new form of angling
- The disgruntled employee (could be past or present) who is seeking some form of retribution
- The stressed executive under pressure who is looking to shortcut procedures or doesn’t check the recipients of an email before pressing the send button
- The IT administrator getting a little complacent or under pressure to get a task done quickly.
Each one of the above scenarios could lead to a breach of security and whilst human fallibility plays a part, it can be argued that the biggest failing is on the part of the organisation not having implemented the appropriate controls and processes to help minimise (yes minimise not eliminate!) breaches occurring from the above scenarios………and that is where training comes in.
In this article, our aim is to discuss the need for effective and ongoing security awareness training to alert, educate and empower our staff to protect the precious data that they are processing on a day-to-day basis. We will also explore some recent and common information breaches and threats, and assess what role information security training could have played in addressing the breaches/threats.
First though, let’s take a look at the latest survey finding. A Help Net Security article from February 2019 suggested the main information security threat risks for 2019 as malware/ransomware and placed accidental disclosure of information by a member of staff in 3rd position with 40% of the vote, followed closely by phishing and spear-phishing at 39% of the vote. https://www.helpnetsecurity.com/2019/02/25/accidental-data-breaches/
These findings clearly demonstrate how users sit at the heart of information security breaches – whether as a result of being targeted by criminals or simply by making a mistake. The need to raise awareness of information security threats and educate staff of their responsibilities to information security are imperative. The rise of malware attacks also supports the need to ensure that staff do not compromise themselves and, in turn, their organisations.
Let’s look at 3 common ‘insider’ security threats.
A compromise can happen to the best of us, even the most vigilant of IT administrators. Social engineering attacks, in its many guises (phishing/spear phishing, etc.), are seen as one of the most common and effective ways of bypassing security controls. The damage caused by a breach of an administrator account was most recently seen in the case of Hydro. Its systems were brought to a halt by a new wave of ransomware known as LockerGoga. It appears this was manually inputted onto Hydro’s systems, through the use of a compromised administrator account. On observation, it is not uncommon to see administrator accounts set up which are shared by a team of administrators.
With reaffirmation of their information security responsibilities, all users would be reminded that the sharing passwords is not permitted. Of course, there are plenty of security controls you can implement around administrator accounts to protect them, such as multi-factor authentication, password strength, and rotation, account monitoring etc. However, fundamentally, human intervention can still bypass all of these controls, whether accidentally through lack of awareness of an organization’s policies or maliciously by an external third party, such as an account being compromised as a result of a targeted phishing attack on that user. Both of these scenarios are examples of where risk can be minimized through the implementation and use of an effective information security awareness training programme.
A significant number of information security breaches are caused by human error. Breaches associated with an email being sent to the incorrect recipient is likely to be a daily occurrence in most organisations.
All organisations, regardless of their industry sector, process personal information such as names, addresses, national insurance numbers, medical conditions etc. in their role as employers. The responsibility to protect this information lies with the organisation but is dependent on the diligence of individuals to treat personal information as they would if it were their own, e.g. how would they feel if their privacy was breached. Kent County Council was the subject of an accidental loss of information on adoptive parents when the wrong address was entered into the carbon copy (CC) field of an email. https://www.bbc.co.uk/news/uk-england-kent-47390022.
This type of error occurs countless times and the potential of it happening, and its consequential impacts on both employees and organisations, should be reiterated to members of staff through security awareness training methods.
This trend for accidental breaches has only increased in recent years with the rise of alternative methods to communicate data. How many times have you heard people blaming their smartphones and responding to an email when commuting? Instant messaging represents another big risk. This form of communication can often sit outside of the security parameters set by an organisation. Users need to be made aware that an organisation’s information is only to be shared using approved communication methods – a staple message in most security awareness training courses.
Incorrect storage or disposal of information, be it physical or electronic, is another significant source of security breaches and organisations need to ensure they have clear processes in place, backed up by comprehensive awareness training.
Scams and fraud
The possibility of employees, at all levels, being tricked into giving up their information is on the rise and shows no signs of slowing down. Most recently, both Google and Facebook (yes, it happens to everyone) were targeted by an individual who pleaded guilty to tricking employees into sending him around $100 million, by posing as a hardware supplier. https://www.tripwire.com/state-of-security/featured/google-and-facebook-scammed-out-of-123-million-by-man-posing-as-hardware-vendor/
This type of incident is increasingly common. Whilst scams may be getting more sophisticated, there are still a number of tell-tale signs that users can look for. An effective security awareness programme can greatly help improve the vigilance of staff. Like the old mantra says, if something looks too good to be true, it generally is.