The frequency and complexity of high-profile cyber attacks indicate that cybercrime is a genuine and serious business risk.
Although organisations are implementing stringent security measures to defend networks from external attacks, many are unaware that an alarming portion of security risk is in fact internal.
Research from Cisco revealed that employee behaviour is the second-greatest source of risk to data security, with 52% of employees identifying it as such – second only to cybercrime at 60%.
Albeit victims themselves, users and IT teams are increasingly becoming unwitting players in cyber attacks, either by a lack of awareness or active circumvention on the individual level.
A key reason that employee behaviour impacts the effectiveness of an organisation’s threat defences is that online criminals are designing malware and unwanted applications that rely on tools that users trust.
Employee complacency is also another overlooked risk factor, particularly when it comes to ensuring that the latest software versions or updates are installed.
>See also: Why insider threats are still succeeding
Further Cisco research found that only 10% of those surveyed claimed to be running the latest version of Internet Explorer, which problematically provides cybercriminals with avenues to more easily exploit.
In light of the increasing risk of employee behaviour to cyber security, organisations must address internal processes. Furthermore, there is an increasing divide between the expectations of employees and the attitudes of the IT department.
‘Although the majority believe in the necessity of security measures, 12% believe innovation is stifled by what they see as restrictive security policies,’ says Terry Greer-King, director of cyber security at Cisco UK, Ireland and Africa. ‘An additional 13% also believe security protocols inhibit their ability to get their jobs done to the point where 4% will even go so far as to actively circumvent their organisation’s security policies.’
In the large-scale breach at Target Corp in late 2013, it is understood that the attack was initiated on a third-party vendor – an air conditioning subcontractor – through a phishing email. User education with regard to the opening of emails may have been able to stop such an attack escalating.
An assessment by security experts at Verizon noted that while Target had a password policy, it was not followed. A file containing valid network credentials was found stored on several servers – with weak or default passwords used on many internal systems – and it was also reported that many systems were unpatched.
‘This is something that a patch management policy should have covered – even after Target’s security systems warned of possible issues,’ says David Kennerley, senior manager for threat research at Webroot. ‘No credible incident response plan was in place, as a Target statement at the time highlighted that after the company learned criminals had entered the network the team decided it did not warrant immediate follow-up.’
Meanwhile, as many organisations focus on their network border, it is insider threats that pose the biggest risk to cyber security today. Recent research by Symantec found that 79% of corporate executives admitted to – intentionally or unintentionally – engaging in behaviours that wind up placing corporate data at significant risk of security breach.
Symantec identified two types of insider threat: malicious and non-malicious. The malicious insider is very determined to get what they want, and it’s quite hard for organisations to detect, especially early on.
But most threats are actually non-malicious and happen accidentally, usually when employees have been allowed to use personal devices when working remotely and haven’t been given the correct tools to do so safely.
‘Company data can be accidentally uploaded to cloud applications like Dropbox or personal Gmail accounts, which employees access on work devices without the organisation’s knowledge,’ says Sian John, EMEA chief strategist at Symantec. ‘This happens in even the largest technology companies – in fact, our research found that 51% of corporate executives emailed company documents from a personal email address.’
Not the only fix
Naturally, preventing the delivery of any malicious content helps to reduce the risk of a breach considerably. That’s why companies view investing in security systems that analyse the content of network traffic and identify malicious content as common sense.
Technology plays a key role in automating security processes, but it’s not the only fix. The biggest failing is people, but they’re actually the least invested in when you look at where the money goes. ‘We see a reasonable investment in process – people seem to understand generally that it’s important,’ says Steve Mulhearn, head of enhanced technologies UK&I at Fortinet. ‘But what we don’t see is organisations understanding the significance of training.
‘A three-pronged approach, combining technology with process and training, is key in any organisation’s approach to security. All the activity that is off net – where there is no process or technology to handle it – needs to be caught by training.’
But humans aren’t the only weak point in corporate security. One of the key methods used by cybercriminals to infiltrate a corporate network is exploiting unpatched vulnerabilities in an operating system or the applications used within the company. This is reliant on the failure of businesses to patch these applications.
Attackers focus their attention on applications that are widely used, since this provides a larger pool of potential victims – these include web browsers, Android OS, Java, Adobe Flash Player, Microsoft Office and Adobe Acrobat Reader.
Cybercriminals don’t just rely on the fact that people don’t always patch their computers. Sometimes they are able to identify vulnerabilities before an application vendor does so.
These are known as zero-day vulnerabilities and provide cybercriminals with the chance to spread their malware on any computer where the vulnerable application is found – irrespective of whether or not the latest security updates have been installed.
‘Often, the exploitation of humans and vulnerabilities combine to compromise an organisation,’ says David Emm, principal security researcher at Kaspersky Lab. ‘The attackers then seek to extend their control to other computers by taking advantage of poor ‘housekeeping’. So it’s important for organisations not only to deal with the technical issues, but also to ‘patch’ their human assets.
‘Unfortunately, the human factor in corporate security is often ignored or overlooked. To ensure this potential for a digital skills gap is resolved, it’s important that a security awareness programme is implemented as part of the company’s wider security strategy.’
Doing the right security thing
So how can CIOs and CISOs go about strengthening their strategy around people and process to ensure that cyber attacks aren’t successful?
There needs to be a shift in the mindset of all involved in security to recognise that technical vulnerabilities are important and need fixing, but people and the processes they run often present a bigger vulnerability.
One of the most powerful tools to help with this is red teaming or ethical hacking, where an organisation’s defences – in the form of people, processes and tools – are tested to the limit, and vulnerabilities exposed that can then be proactively fixed.
‘It’s important that this activity covers the whole spectrum from social engineering of people through to stress testing of processes and systems,’ says Luke Beeson, VP security UK and global banking and financial markets at BT. ‘What I think CIOs and CISOs should be focused on is making it easy for people to do the right thing. If processes are complicated, our natural inclination is to find simpler workarounds, which may introduce vulnerabilities into an organisation – so creating a simple path to follow that encourages people to operate within the security polices of an organisation should be a key priority.’
A problem also lies in the lack of ability to handle social engineered emails – it’s often not a high priority from a training perspective in the majority of organisations.
Attackers are getting cleverer – they’re spending a lot of time and energy on tailoring emails that look the part, sending them at times they know employees are going to be busy, and targeting senior executives who typically have broad access to more sensitive information.
‘This is an easy, and often successful, way of planting malware inside corporate networks,’ says Mulhearn, ‘And the scary thing is 70% of malware is still delivered via email. Investing in basic security training for your employees can save you money and time, and help protect your reputation.’
Education for all
To properly minimise the chance of a cyber attack, the entire organisation needs to be educated – not just specific people. It is vital that organisations have executive buy-in – otherwise it becomes very difficult to make security part of the company culture.
It’s also essential that such a programme harnesses the skills of those beyond just the IT department. And with the popularity of BYOD showing no signs of slowing down, organisations must make staff policies work for them.
‘By effectively designing and managing a BYOD network, businesses can simplify their IT operations and ensure data is secure while providing greater flexibility for employees,’ says Emm. ‘Securing a corporate network is now more challenging than ever before. Employees are typically “always-on”, using different devices in a wide range of locations – so it’s no longer sufficient to defend the perimeter.’
This changing business environment makes it imperative that organisations ensure that employees understand the ways in which their actions can jeopardise the security of the company. This means delivering key security tips in a way that staff can understand and easily digest.
CIOs need to talk about securing people rather than devices, says Gary Newe, technical director at F5 Networks. ‘It’s not something new, but we are almost at the point where the majority of enterprises will stop trying to secure their devices, and start focusing on securing identities,’ he says. ‘BYOD continues to be prevalent, and security policies need to move away from being tied to the device, to being tied to the combination of the user, the application and the data being accessed.’
Employee involvement is crucial for the success of any organisation’s security strategy. Creating a security task force whose members rotate so that each employee has eventually been part of the task force is a great way to get everyone involved.
No company, organisation or country is safe when it comes to cyber attacks.