Cyber-security and the human element
2017 is the year cyber-security has become an area of interest for both the small and medium businesses and enterprises sector. An increase was noticed for business insider threats in 2016.
One of Verizon’s public studies stats that "55% of incidents from internal actors are due to privilege abuse". This means the wrong people have administrator credentials or have access to network privileges they should not have.
We can identify three types of employees that may risk a data breach.
Let’s begin with the compromised employee. This is the one that brings an infected device in the vicinity of sensitive data, be it on the Wi-Fi network or the wired network. Once that machine is admitted to the network, it becomes a channel for the attacker into the organization.
We also have the careless employee. The one that does things he is not supposed to be doing, during working hours, without malicious intent. Through his actions, trying to cut corners left and right, he may be putting the enterprise at risk. That is the reasons there are specific procedures in place to handle the sensitive data of the company.
Finally we have the malicious employee. The one that acts with the sole intent of harming the enterprise. He has an agenda, he may be paid to execute that agenda or he has personal reasons behind his actions. As a result he breaks all protocols in place in order to harm the company.
So for a company to stay protected, what are the outside-in aspects of security to focus on?
- Personal attacks on employees
Due to the fact that employees are very vulnerable against attacks, cyber-criminals use them as their preferred method of breaching into a company. It is very difficult for an enterprise to secure all the activity on social media (Facebook, LinkedIn, Twitter, Instagram, etc) especially with everyone going mobile. When it comes to IoE (internet of everything), even the harshest of rules are not enough to secure critical information. Let's look at the Snowden case. Snowden worked for a security contractor for the NSA, which has one of the highest security levels in the world, and still, information got through. That is why phishing emails are such an effective methods of penetrating an organization.
- Personal life versus work
A mix between work and personal life has always been the subject of debate, especially when it comes to IT security. Studies show most infections on a network happen during working hours, many affecting the mobile workforce, outside the protection of the company’s firewall. The misuse of company's resources or data is often the cause of many breaches, even if there is no specific malicious intent, other than ignorance and negligence.
- Increase in the number of vulnerabilities at the endpoint level
Many of us have more than one device we use in our day to day job. Some have a desktop as their main device, others may have a laptop while some prefer working on a table or a smartphone. The reality is, between the mixture of these devices and all the applications we use on a daily basis, securing information at enterprise level can become a very challenging task. New vulnerabilities are discovered every day in browsers and applications we use and trust. Many of these vulnerabilities are not yet known to the manufacturer and thus are called zero-day because there is no security patch to fix them. Even with religious patching, the danger is still real, as these patches have been perpetually done by the manufacturers and new ones are still being discovered.
Companies are slowly introducing IT security training for staff to mitigate the risks of a breach. Adding the right layers of protection at the endpoint level, in combination with best practices training, can dramatically reduce the risk of getting infected.
About the author:
Ioan Hipp is not a mathematical genius, he is not a world renowned expert or a prominent figure in the cybersecurity industry. He is just a passionate person on the new cyber world that our IoT is developing into, a storyteller and a contributor to a better society.