Human, all too human: security’s weakest link
29 June 2016
By Damien Manuel, AISA Vice Chair
This blog was originally published on the CSO Blog
As a species humans, are for the most part curious, somewhat altruistic and community or tribe minded. We establish relationships based on trust and are eager to help the common collective. It’s these qualities that have helped us advance, form societies and develop sophisticated technologies. When it comes to cyber security these qualities are also our downfall.
A recent study at the University of Illinois found that around half of USB flash drives dropped in a car park by researchers will be picked up by passers-by and plugged in. Those that did were neither technically incompetent relative to their peers nor particularly risk loving compared to the general population. As security professionals we may shake our heads in disbelief, but the subjects in the study are not foolish - they are simply human.
Appealing to our inquisitiveness, this straight-forward, thankfully mock attack, proved highly effective. Cyber criminals already know this and have been using psychology to exploit business for a long time. As we learn more about how the human mind works, we naturally begin to understand primal triggers that can be harnessed or exploited for good or bad. Examples are reciprocity, authority, urgency / scarcity, distraction and identification (posing as an employee, pretending to know someone, establishing trust by talking about favourite meals on the menu at the local café etc.…).
There has been a rise in whaling attacks in recent months. Since January 2015, the FBI has seen a 270 per cent increase in identified victims and exposed loss.
Spear phishing and whaling scams target senior staff from finance and accounting departments that are entrusted with sensitive employee information and undertaking money transfers. An email that appears to be from a senior executive, perhaps a CEO or CFO, or a valued customer, is received requesting an urgent release of funds or important information.
Cyber criminals play on the long-term relationships between business associates. The staff members targeted are eager to help their workmate, only to find it was an imposter. These generally time poor employees are only doing what they believe is best for their business; even if that means bypassing protocols in order to help. A single employee who is acting under pressure can easily create a gaping hole in your security architecture.
High profile companies have fallen victim to this sort of attack – with employees unwittingly wiring millions to foreign banks and releasing employee payroll data to criminals.
Cyber criminals can further fine tune their phishing attacks aided by the kind of information we share about ourselves on social media. They may send an employee a malware loaded email from the recipient’s old school, sports club or former employer. Who wouldn’t click to view the photos from their old school’s reunion? It’s only natural.
Although most people are savvy to Nigerian princes requesting banking PIN numbers so they can transfer their millions into accounts, generally most of us default to a trust mode when using emails or services from the Internet. We seem to implicitly trust people on the Internet we have never met before, which by itself is a strange phenomenon worthy of further study.
Blue Coat’s own Global Cyber Security Survey, conducted by independent research firm Vanson Bourne, found that employee behaviour is a real and present danger. Though CSOs may baulk at the idea, the study found a fifth of employees will open an email from an unverified source. Nearly 2 in 5 use social media for personal reasons at work, exposing them to malware and encrypted traffic exploits. More than half use personal devices for work.
You would assume then that the message coming from IT teams is simply not getting through. But that’s not quite the case. Blue Coat’s study found that 73 per cent of employees knew that opening an email attachment from an unverified source was a business risk (and those categorised as IT decision-makers are no better).
Australian employees were among the lowest offenders of using new applications without IT’s permission (only 14 per cent had) yet the threat remains.
Simply banning social media, shadow IT and personal devices is impossible and ineffective. There are benefits to them too - social media can actually raise worker productivity and unsanctioned IT make good business sense to employees who seek to be as efficient, productive and collaborative as possible.
If employees are aware of security risks, but take them anyway, it indicates the message is getting through, but is not effective. So maybe the message or our actions are wrong.
For too long CISOs and their teams have been seen as disciplinarians. A strict master who issues rules of what employees shouldn’t be doing. Sadly, many are perceived as an obstacle to doing business, a hurdle to be overcome, or worse, bypassed. Effective CISOs know how to make the case for good security practises appealing to busy employees, balancing security with employee productivity. In short, implementing effective usable security measures that are understood by non IT people in the business.
Fortunately for CISOs, the damage done by security breaches on major companies is increasingly in the spotlight, raising the awareness at both the board and executive management level, providing an ideal environment to address the challenges. Too often this simply translates into “how much will it cost me to be secure” rather than a shift in thinking towards an organisation with a mature and capable risk culture. Real-world examples of breaches are plentiful and so are the losses suffered by businesses. Harnessing these examples and demonstrating the business impact in real terms can be an effective method of education, awareness of the challenges and a need to build a risk management culture in the business.
Unfortunately cognitive biases hinder our ability to judge risks correctly and it is this which inevitably causes individuals to fall victim to scams or cause a security breach. Explaining scenarios of how cyber criminals crack security that begin with an individual worker can help to change the culture and behaviour of employees. However those scenarios need to be relevant and in the language the business uses, hence very minimal techno babble. Remember, there is no silver bullet for solving this problem, technology alone is not the answer. A combination of transparent security technology (one the end user doesn’t even know is protecting them), psychology training in the area of judgement and decision making, regular education and a positive agile culture of risk management can help.
No employee wants to be the source of damage to a business. Nobody wants to be the one who is responsible for hitting the media headlines for a data breach. That’s just human.
Seven tips for organisations to help improve cyber security:
- Build a culture of business resilience which includes security and risk as core pillars
- Understand your weak points by thinking like the criminals. Where does you data reside, who can access it, what controls are in place and how can you easily circumvent those controls?
- Identify, establish and monitor controls to reduce your weak points, but don’t get lost in the compliance forest. Make sure what you’re monitoring or assessing is relevant and real. Is it dependant on people doing the right thing and what happens if they don’t?
- Supplement control monitoring with business education using real world scenarios to highlight the risks and exposures (in a business context). Rinse and repeat this step as education is a continuous process and you need to make it fun and engaging or it will fail
- Shift the needle of implicit trust of the Internet to a position where staff question things that sound too good to be true or just don’t sound right. If you have done step 4 correctly, this will naturally occur in the business
- Don’t despair when it does go wrong. You just fell victim to your primal triggers and it takes time and training to control them. Perhaps your business needs to focus on the psychological aspects of security, namely decision making and judgement
- Have a plan for when it goes wrong and the breach occurs. How will you contain it, how will you respond to customers / media, how will you restore confidence and continue adding value to your customers/shareholders during the crisis? Don’t be afraid of it happening, embrace it, plan for it and be prepared.