The human factor: top tips to strengthen the weakest link in the information security chain

Spear phishing attacks are unequivocally the weapon of choice for hackers today. Just take a look at some of its recent victims: The White House (a two-timer), Sony, JPMorgan Chase, Target, and RSA, just to name a few, lead the list, but it goes on and on. In fact, according to Trend Micro, 91% of cyber attacks occur when malware is delivered by email, links or through downloads (i.e. spear phishing), encouraging hackers to deploy spear phishing attacks time and again.

The reason that spear phishing is so successful is because unlike phishing attacks, it strategically targets individuals with the intention of hacking an entire organisation or country. And although data security technology is doing a great job, it can only do so much.

At the end of the day, if the human resources department receives an email with a CV attachment, it’s no surprise that someone will open it. Thus, the primary challenge in managing spear phishing attacks is the human factor, a key link in the information security chain that must be addressed.

> See also: The 6th era of people, process and information is upon us

While it is the click of an employee on a file or link that is essentially the catalyst for every major data breach in recent news, discussions revolving around spear phishing have focused little on the human factor. And when it comes to protecting a company’s information security, the onus should be on the parties most involved in preventing the next major organisational breach: the employer and employee.

The employer

When it comes to education and awareness, employers aren’t doing as much as they should be right now. Although cyber attacks are eternally inevitable, education and awareness will go a long way in mitigating future attacks. This educational component starts with educating employees about sharing personal information on social networks as well as how to go about recognising a targeted attack and what the protocol is when an employee does in fact recognise a targeted email.

According to the Pew Research Center, only one in four of employed adults say their employer has rules or guidelines about how they present themselves digitally.

And, today, in a digitally saturated age where people’s lives and personal information are publicly paraded and out there for the taking, hackers can easily glean information and craft personalised, and seemingly legitimate, emails to breach the next big enterprise.

In fact, in a recent survey sponsored by Blue Coat Systems, 54% of those surveyed said they connect with strangers on social media and 56% stated they hadn’t set up privacy controls emphasising the dire need to enforce some sort of framework for information security standards in organisations.

Furthermore, a YouGov survey of UK workers released last week said that one out of five workers have never had any IT security meetings and that a mere 6% of UK employees reported receiving training and guidance on what to be on the lookout for, or the telltale signs of a phishing attack.

The employee

Even when those few companies do initiate educational seminars for their employees about targeted attacks, specially crafted spear phishing campaigns are becoming harder than ever to identify. Hackers base these emails off of personal information garnered mostly from social media networks, making the emails ever so real for its recipients.

Hackers are ultimately counting on employees to open the link or attachment, and with good reason: McAfee test results reveal that 80% of employees are lured into opening at least one out of seven spear phishing email messages.

In order to help companies prevent the next major data breach of their systems, here are several tips that we think would go a long way towards helping them avoid the same fate as some of those well-known institutions mentioned at the beginning of this article:


While technology can help reduce some data breaches; attacks are always an inevitable and unfortunate reality. Not only should more organisations initiate educational seminars and create rules and guidelines for employees on password/privacy settings and social media, but organisations should also discuss how to identify targeted attacks.

Even though spear phishing emails are very well personalised, there may be certain aspects of the email that may seem 'phishy'. Although we have a long way to go before completely eliminating cyber attacks, we must learn how to manage the risk.


Companies should keep up to date on the latest data security technologies on the market and particularly look for those that can effectively reduce the human factor while maintaining the company’s productivity level.

> See also: People power: how to turn your organisation into a human fortress

According to Gartner, 'Traditional malware protection proves increasingly unsuccessful to protect against some of the latest threats.' An effective cyber security counter measure can save a company precious time and money.

Creating awareness

Enterprises are susceptible to targeted attacks more than ever today, yet ask most employees at any large organisation and they will either have never heard of targeted attacks or have no idea what it means. Employers should create awareness within the organisation by providing frequent educational seminars and staying well informed of the latest in cyber security news. When it comes to spear phishing, knowledge is power.

Sourced from Itay Glick, CEO of Votiro

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Information Security