Cyber Security: It All Comes Down to the Human Factor

Faisal Quader, President at Technuf

March 24, 2016

Cyber Security It all comes down to the Human factor

Despite high-profile breaches and other types of cyber attacks over the past few years, cyber security remains a low priority across industries. There are a few reasons for this. First, too many people, both in leadership roles and rank-and-file employees, assume that security is already built into their corporation’s networks, and that files are automatically encrypted. Or they think that security is someone else’s responsibility. Second—and this is especially the case for smaller businesses—they don’t think their company could possibly be targeted for an attack.

The truth is that any company is vulnerable to a cyber security threat, and that’s because every company has something a cybercriminal wants—whether that be access to financial accounts, or Personally Identifiable Information (PII) of customers and employees that can be used to commit fraud. Because every company is at risk, every company needs to evaluate its security processes and improve upon them.

Starting with the Basics

There are some basic security vulnerabilities that every company must address when putting together a cyber security plan. Password policies are a must, but despite their importance, they often get glossed over. What’s more, the actual passwords are—or should be—only one factor in the authentication process. If those passwords are too weak, for example, they can be easily guessed, putting the entire authentication process at risk of failing. Having procedures in place to require strong passwords that must be changed every 90 days can improve the overall security of the authentication process.

Similarly, some industries—finance, for example—understand the need for full encryption for PII. But what often gets forgotten is strong entry authentication to access the database in the first place. Frequently, the only authentication needed to access information is a user name and password combination. Multi-factor authentication— adding extra layers like public-key cryptosystems, a code sent via text message or a biometric like a fingerprint—adds strength to the access system. Not adding this layer is a breakdown in overall security, and it can put customer data at risk.

The Rise of BYOD

Bring Your Own Device (BYOD)—and the increase in employee-owned mobile devices accessing corporate networks—has created unique targets for potential attack, and has necessitated new layers of cyber security. Corporations can employ a simple rule to protect themselves from this increasingly nebulous threat: no mobile device is allowed to connect to the network without proof that security software has been installed. Further, the device should be put through a compliance check before it is used to access sensitive data.

Of course, it isn’t just employees who are using mobile devices to interact with the company. In the banking industry especially, more customers than ever are conducting financial transactions using mobile apps. This means that the designers of these apps need to be security-forward and should have protocols in place to monitor potential malware infections.

Continuous Education: The Most Effective Security Tool

While IT departments focus on the security tools needed to defend the network, one of the most important security procedures—education—is often given only a cursory nod or ignored altogether. This includes basic security education for all employees, from the CEO down to the summer interns. Even with the range of technologies available to protect a corporation against threats, if the users aren’t fully trained about security risks and prevention, cyber security fails.

Surprisingly, an increasing number of security threats are actually coming from inside the company itself. A SpectraSoft study shows that every organization can expect to have nearly four insider-related security incidents per year. Although some of these threats arise from malicious employees who intend to hurt the business, most security incidents are accidental—caused by an employee who clicked on an infected link or opened a malware email attachment. Most of these accidental security breakdowns can easily be avoided, through basic employee security education and training sessions.

But security training goes beyond simply teaching employees the difference between a real email and a phishing scam. User behavior plays an important role in good cyber security. It should be considered as part of any training process. For example, a user who works with sensitive data should learn why he needs to lock his computer when walking away, even if just to get a cup of coffee. Good training teaches why these behaviors are necessary; regular training turns security best practices into habit. The more security training an employee receives, the less likely they’ll become the victim of a targeted attack.

When you look at the human aspect of the cyber threat, there are several situations that set up the user to be a victim:

  • Negligence. This goes back to poor user behavior and not paying attention to simple security standards. Examples include sharing passwords or not logging out of applications when finished.
  • Deceit. This happens when the user falls for a scam that gives a hacker access to the network. 
  • Ignorance. Not knowing what the proper security protocols are, both for the company and in general, can be just as dangerous.

Investing in the Security Process

Employee training goes a long way towards facilitating improved cyber security implementation. Once that’s in place, company leaders can focus on spending the time, effort, and resources to properly invest in security over the long term. There is an ongoing need, for example, to understand the current state of the system. Is everything patched and up-to-date? Where are the weak spots in the infrastructure? Having someone regularly reviewing data logs or recurrent penetration tests will trigger alerts for potential vulnerabilities before any damage is done.

Also, any company needs to be both proactive and reactive when dealing with security threats. All too often, cyber security plans stop at the proactive stage, putting the bulk of the organization’s security resources into defense systems. Because even the best security system can fail, it is equally important to have a plan in place for how to manage the post-breach scenario. This can include external affairs, such as managing the press coverage and communication with customers in the wake of a breach, as well as internal affairs, such as closing the holes in the infrastructure and stopping data leaks.

For every cyber security plan, there is one common factor: No matter how much is done to protect the infrastructure with technology or policies, it all comes down to the human factor. If the people who are accessing the network aren’t trained properly on how to follow proper security protocols, you’re likely to fall short of your overall IT security goals.

The views of the author of this article do not necessarily reflect the views of First Republic Bank.

© First Republic Bank 2016