Managing The Human Aspect In Cybersecurity: Risks, Impacts, And Mitigation

Managing The Human Aspect In Cybersecurity: Risks, Impacts, And Mitigation
Photo by Jefferson Santos / Unsplash

Workplace communication is getting revolutionized by the widespread adoption of the internet and digital technologies. However, while technology has improved productivity and innovation for the enterprise, the human element in People, Process & Technology has been the weakest link in enterprise information security. There is an alarming rise in employee-related data breaches that are affecting organizations today.

The evolution of technology is benefiting all areas of life and making lives easier worldwide. These considerable strides in technological development have one crucial aspect – ease of communication and use. The technology element demands rapid changes to the cybersecurity landscape of an enterprise and offers easy access to information for employees at all levels. It also makes it easier to combine, remove, sort, and circulate a large volume of sensitive and confidential data across various platforms, without taking into account organizational assurance and due diligence. Hence, the rapid advancement leads to organizations reporting more security breaches, which are linked, directly or indirectly, to human behaviour.

Managing The Human Element In Cybersecurity – Some Facts

Even though it is impossible to ascertain whether the breach in an organization took place due to an employee's negligence, or intentional behaviour, there is an increase in security breaches due to the human element. Given below are some glaring statistics that prove the same.

According to a Kaspersky Lab study in 2017, following observations were noted:

  • The careless workforce contributed to 46% cybersecurity-related incidents last year.
  • Insider attacks are also in vogue with enterprises experiencing up to 30% attacks in which the employees worked against the employer.
  • 11% of the severe security data breaches involved uninformed employees.
  • Employees have the habit of under-reporting and not taking any action when the company suffers a data breach. Employees of over 40% of businesses worldwide never reported an incident after it occurred.

% Of Businesses Which Think They Are Vulnerable To Inappropriate IT Use By Employees [Source: IT Security Risks Survey 2017, global data]

As per the PWC Information Security Breaches Human Behaviour and Cyber Security Assurance Survey

  • It reports that the main vulnerability of a secure enterprise is the people.
  • Inadvertent human error was the root cause of more than 50% security breaches in the UK.
  • It was a rapid increase of a whopping 60% Y-O-Y.
  • The study pointed to an often ignored fact – insider events. Insider events often slip the media's coverage and, hence, do not get reported.
  • The study stated that over 28% of the respondents pointed towards insiders as the root cause of security breaches. The insiders include employees, trusted parties, contractors, and service providers.
  • The survey pointed out that inadvertent human error contributed 48%, lack of staff awareness added 33%, and weaknesses in vetting the employees figured 17% in various security and data breaches.

According to the PWC 2015 Information Security Breaches Survey

  • About 75% of all large organizations experienced an employed-related breach, which was about 33% or 1/3rd for the small organizations.
  • There was a rise of 58% for the large organizations and 22% for the smaller ones since the last year.
  • When it comes to interaction with the company's sensitive and confidential information, these studies point to the difficulties that organizations face when they decide to apply cybersecurity controls that concern the human behaviour of the employees.

Critical findings for the healthcare sector in 2014 US State of Cybercrime Survey

  • The healthcare industry is highly regulated in the US because it deals with highly sensitive information.
  • The report found that the private and highly sensitive information of respondents got unintentionally exposed, and the rate was 83% higher.
  • The report states that employees of 92% of organizations had access to e-mail and calendar through mobile devices. Additionally, these organizations also allowed access to the health records to 52% of respondents.
  • The report publicized that data breaches that involved tablets and smartphones in large organizations saw a jump from 7% last year to 15% this year.
  • For insider attacks, the report states, the most vulnerable areas are collaboration and communication applications.
  • The three main areas which lead to an increase in the insider attacks are:
  1. Data in mobile devices (e.g., laptops, smartphones, etc.)
  2. Inadequate cybersecurity training and awareness among employees
  3. Inadequate or absence of data protection solution or strategy.

What are the Risks?

  1. The Brand Reputation Gets Damaged

A data security breach impacts the organization's short-term revenue; it can also affect the reputation of the brand for a long time. Users want their Personally Identifiable Information (PII) to remain private and not get leaked. However, the majority of the data breaches result in a compromise of customer payment information. Potential clients refuse to do business with enterprises having shaky data security.

2. There Is Considerable Loss To Intellectual Property

Intellectual Property (IP) includes the organization's native product designs, blueprints, and other business strategies. Loss of IP can result in reputation damages, financial losses, and in extreme cases shutting down of businesses. The insider threat has always been a challenge for organizations to handle. According to a recent survey, 69% of organizations have suffered data loss or IP loss due to employees leaving the organization.

3. Social Media Risks

Knowingly (e.g., disgruntled employees) or unknowingly (e.g., an employee not well trained or unaware of cybersecurity best practices), sometimes, employees may reveal too much personal information on social media. This information can be used by identity thieves to break into your information systems or even to steal sensitive and confidential information.

Impacts of A Data Breach

  1. Revenue Loss

Considerable revenue loss to the organization due to data security breach is a common finding in many studies. Studies point to a revenue loss for 29% of enterprises facing a data breach. Out of these, 38% of the businesses experienced a revenue loss of more than 20%.

2. Loss of Reputation & Customer Trust

Apart from financial losses and regulatory fines, a data breach or loss of personal information of your customers can bring down the level of trust your clients and customers have in the organization's ability to protect their information assets.

3. Hidden Costs

Surface-level costs make up the tip of the iceberg. Other hidden costs beneath the surface are related to breaches. The hidden expenses in the event of a data breach are legal fees, PR and investigations, and insurance premium hike. Regulatory fines are another major factor that shoots up the hidden costs.

Risk Mitigation Strategies

  1. Restrict The Usage Of BYOD

Organizations keep coming up with new policies to engage their employees better. Bring Your Own Device (BYOD) is the example of one such strategy that allows employees to complete various projects using their mobile devices. While it improves savings and convenience, it also poses substantial security risks. If in case, BYOD is unavoidable, organizations must ensure that employee-owned hardware does not contain any critical company data.

2. Educating The Employees About Latest Cyber Security Tactics

Hackers are becoming more advanced by the day and keep changing their tactics. Hence, it becomes critical for organizations to ensure that their employees are aware of the latest threats and the ways to avoid them.

3. Educating The Workforce About Social Engineering Attacks

Social engineering is a deceptive technique used by hackers where they use media platforms to trick people into sharing their confidential information. Employees must know about various social engineering methods which hackers use:

  1. Spear Phishing targets fewer victims but is usually much more successful. It is a variation of Phishing. In spear-phishing attacks, adversaries send highly customized e-mails to potential victims (the number is minimal), and the victim gets fooled by the familiarity and bites the bait.
  2. Reverse Social Engineering refers to the hacker attacking a company's network and then offering help to the administrators to rectify it. It is a gold mine of data for the hacker if the administrators heed to his request.
  3. The Friendly Hacker is a technique of social engineering attacks where the adversaries focus on social media or personal e-mail accounts. They gain unauthorized access to an account and search for video files, PDFs, word files, or other downloadable content. If they find any of these documents, they embed malicious code into another document and send it to the victim after labelling it as the "updated version." Such attacks not only target the initial victim but also leave their colleagues vulnerable to attacks.

4. Deploying The Least Privilege Model

The organizations can use the least privilege model in the workspace, which allows them to identify the accounts which have unnecessary privileges. They can also monitor every communication and file which gets transferred on the enterprise network.

5. Outside Vendors Must Deploy Strong IT Security Measures

It is prudent to view every outside vendor to be as safe (if not more) as the organization. Numerous studies are pointing to the fact that vendors can act as the entry point for adversaries to enter the host's network. A report in 2014 discussed the breach in Target's system via an HVAC vendor.

Thus, the organizations must communicate the network security concerns to the vendor and become aware of the monitoring software and surveillance processes. Analyzing the IT infrastructure audits to ensure that they are putting appropriate safeguards is a prudent way for organizations to check the vendor's IT preparations. Additionally, they can actively encourage the vendors so that they utilize change detection software.

Conclusion

The cyber threat landscape is continuously growing and becoming more complex. It is evident from the fact that 57% of organizations are now assuming that their information security posture might get compromised, resulting in a breach of confidentiality, integrity, and availability of information. They are waking up to the fact that employees can either be their most vigorous defence or the weakest link in data security. Hence, to mitigate human-related risks, they need to take proactive steps. Organizations must realize that security policies cannot reduce all the risks.