There are many different ways an organization could be exposed to a cyber breach, but few are so common as the human factor. People make mistakes and they can also be tricked, and that unfortunately means that a company’s people can often be its biggest security weak point.
In this article, we’re going to explore the issue of human error in cyber security – the scale of the issue, how it’s grown, how it keeps happening. But, it’s not all doom and gloom. Scroll down and we’ll also talk about one of the best defenses you can deploy against this problem: spoiler alert, it’s not cyber awareness training (although that’s important too), but better identity and access management.
The scope of human error in cyber security
Attackers know that they can target a company’s employees with all kinds of strategies: phishing, credential harvesting, even long-term, deliberate social engineering. Human error, as far as we’re referring to it today, can mean any human-related problem, from making an innocent mistake all the way to being psychologically manipulated.
Learn more: “The most common cyber attack vectors of 2021“
These facts show just how startlingly common the problem is:
- Phishing was the leading cyber attack vector in 2021, according to the Identity Theft Resource Center’s 2021 Data Breach Report.
- The FBI found phishing to be the most common cyber crime in the US.
- 40% of EU citizens using Kaspersky suffered at least one phishing attack in 2020/21.
- Personal credentials are the most sought-after data type for hacker groups, as they are the fastest to compromise, says Verizon.
But how are cyber criminals so successful at this?
People-targeting tricks are so common, and sometimes so complex or realistic, that they can be quite hard to stop. Either there are too many attacks to prevent them all, or they’re so sophisticated that they go completely unnoticed.
We often think of email spam (Nigerian princes come to mind) as an example of phishing. But, while this type of spam is certainly still common, it’s only the tip of the iceberg of what actually goes on.
Examples of more complex people-targeting cyber attacks
- Fake websites: The German BSI noted that cyber attackers in 2021 were building entire fake websites to exploit COVID-19 panic. These websites purported to offer economic support for organizations suffering from the pandemic, but were actually sources of credential harvesting activities and malware.
- Social engineering: Advanced persistent threat (APT) groups like Deep Panda have been known to set up fake profiles on social media or business networking sites, pretending to be real people in order to seem genuine. They will then, over sometimes a very long period of time, network with target individuals, converse, and build trust, eventually sharing links to spoofed websites and malware. It’s also not uncommon for attackers to pose as journalists on those same social media sites.
- Compromised websites: Fake websites can often be detected and blocked, which attackers know. Some of the more successful groups instead work to compromise genuine websites, that is, gaining admin access to a real business’s website in order to host malware on their servers. Victims don’t notice they are browsing malware, because the website is genuine. They weren’t tricked. They didn’t go to a fake site.
- Compromised accounts: A final example is the compromising of genuine accounts and devices so that they can be used by an attacker. Cyber criminals gain access to someone’s email account or smartphone device, then send direct messages, SMS texts or emails to their contacts pretending to be the victim. The recipient thinks it’s a message from someone they trust, but it actually contains a link to malware.
In fact, some of these examples are so common they have acquired their own names – smishing, for instance, plus watering hole attacks and business email compromise (BEC).
If it’s this common, why does it keep happening?
There are many competing factors as to why cyber attackers are so successful at targeting people, but out of all the many reasons there are three that are particularly common:
1. Low cyber awareness
The problem: Low levels of cyber training and awareness among company employees. What may seem simple to someone well-versed in IT can utterly flummox someone who has no idea.
What it means for businesses: When people don’t know what they don’t know, they can’t protect themselves. Downloading an email attachment, going to a suspicious website, installing dodgy smartphone apps, plugging an unclean USB device into company servers – knowing how to spot these issues and avoid them requires a degree of technical expertise that many people simply don’t have. It’s not simply a matter of common sense – it’s a matter of training.
The other side is that some people have received such training in the past, but now it’s vastly out of date. Perhaps they know to avoid email spam and dodgy websites, but don’t know how someone might trick them on social media, or spoof an app to get into their smartphone.
2. Malicious insiders
The problem: Individuals already inside the company who cannot be trusted. We want to trust our employees, but the sad truth is that we can’t always. Whether someone joined with malicious intent in the first place, grew disgruntled during their tenure, or became radicalized by other means, either way they have insider access and intent to harm.
What it means for businesses: If someone gains the intent to harm while already working for your company, they will use their employee access to steal data or perhaps destroy it. They may be working alone, or for someone else.
Because they have access permissions to the system, their malicious activity could go totally undetected.
3. Lost or stolen device
The problem: Someone’s device has been compromised by an attacker, to which they now have complete access. Physically stealing someone’s device is an easy way to gain access, particularly tablets and personal laptops which aren’t always password protected.
What it means for businesses: This has a similar impact as a malicious insider. The device itself is the ‘insider’; the employee has been accessing company systems via the device and may have saved passwords in order to avoid logging in every time. Unless the employee takes the necessary steps to have that device’s access revoked, the attacker’s activities may go undetected as it will appear to the system that it is the employee who is accessing the system.
In each of these cases, the business was unprepared to deal with the threats to its people. But, you don’t have to solve each of these common problems individually – there’s no such thing as 100% security, and new threats will continue to evolve. So what can you do instead?
The solution: Get a grip on identity and access management (IAM)
What is IAM?
IAM is the process of ensuring the right people/devices have access to the right information, at the right time (and only the right time) on your company network and applications. Should the time change, the information, the people or device, so too does the access level.
It is an umbrella term for a variety of security processes which are all to do with assigning access to a system. A lot of these processes you will have heard of already, and likely use in daily life without realizing. We’ve included some examples below.
But isn’t restricting access annoying, and harsh?
It might sound harsh, and we understand it may conjure images of early-2010s IT systems where gaining access to even simple documents was a chore that required sending emails to two or three different people and waiting for a week.
But, modern IAM balances both security best practices and the needs of a company’s employees to ensure that when someone should have access to a file, they do. But if they don’t, or they no longer need access, then they don’t. It also makes it easier for administrators to control that access in a simple and modern manner.
Why does IAM work?
We can explain this with a common example. For a lot of companies, access to the shared cloud storage system is as simple as giving someone a password and letting them sign in. Maybe there are restrictions on certain files and folders, but most employees can generally access most data. It’s fast, it’s simple, and it seems inexpensive.
Here’s where the problem starts
The issue with this simplicity (despite its apparent convenience), is that if a cyber attacker gets their hands on someone’s credentials – and they will – then they gain access to the entire network, or the bulk of it. All of your documents, all of your data. They don’t have to do anything else, but have free reign to steal, delete, modify, or just spy.
Because the employee had this ease of access, so too did the attacker.
Here’s the alternative
A smart IAM policy is an extra layer of protection that a cyber attacker has to get through to steal your data. It restricts what they can access, and may even prevent it entirely.
But is IAM a lot to manage?
It doesn’t have to be. There are a wide variety of tools available nowadays that help make good IAM practices much faster and easier to administrate. These tools can help assign or revoke access, adjust access based on changing needs, highlight and protect privileged accounts, and control everything from a centralized, modern dashboard.
Much like how many other tools in modern business are being centralized and made easier to use (like accounting, inventory management, customer relationship management, to name a few) IAM has also had the modern-day technology treatment.
What are common examples of effective IAM tactics?
1. Password management
It’s been common security practice since the dawn of passwords, and it’s still great advice – a good password genuinely makes an account more secure.
To put it into numbers, Hive Systems found that hackers could brute force a password of less than 8 characters (with no symbols or numbers) instantly. However, if the password were increased to 13 characters and included upper and lower case letters (but no numbers or symbols), it would take them 16,000 years.
Good password best practice
- Unique password for every account inside and outside of work.
- Minimum of 8 characters, using upper and lower case, symbols and numbers.
- Don’t use personal information.
- Change passwords regularly.
- Never share your password.
- Always click ‘never’ if a browser or system wants to remember your password.
2. Multi-factor authentication (MfA)
Multi-factor authentication is a type of electronic authentication that requires a user to provide more than one piece of evidence before they are allowed in. That is, a password and something else – facial ID, email code, SMS code, identifying questions, fingerprint scans, and so on.
As you’ll see in our graphic above, this type of authentication is extremely powerful – yet so simple. If an attacker compromises someone’s password, say, by credential harvesting activities, they still can’t gain access to your company’s system because they don’t always have that person’s email account, or smartphone (or face).
3. Joiners, Movers, Leavers (JML)
A JML policy is your way of keeping tabs on your employees’ access levels as they enter, move within, or leave the company. Because IAM is all about ‘right time, right place’, you must have a policy in place to guide how you adjust someone’s privilege based on their position in the company. And, of course, if they leave, you must have a system in place that reminds you to deactivate their account.
HR would typically own this process, but it may have a lot of technical requirements so the IT team will need to be involved.
Want to learn more about these techniques and more, plus gain ideas on how to deploy them? Download our IAM best practices guide here.
Need help? We’re here for you
When it comes to cyber security, you don’t have to go it alone. We know what it takes to protect a business in the modern cyber warfare landscape and we’re always working hard to keep our practices, and those of our clients, as up to date and agile as possible.
If you want to learn more about the basics of identity and access management, please get in touch.