The weakest link in cybersecurity, it’s often said, is the occupant of the space between the chair and keyboard. Indeed, with phishing attacks not only still seeing widespread success but actually on the uptick, employees are arguably a bigger security weakness than any type of technological vulnerability.
On the flip side, an enterprise’s people can be the most important resource for combatting interlopers and developing a strong IT security culture. Information security increasingly is being seen as a people problem – with a human solution – rather than a technological one.
“I meet every new [employee] and I always tell them, you are the first and last line of cyberdefense!” says Graeme Hackland, CIO at British Formula One team Williams Racing. Hackland shies away from referring to employees as an organization’s biggest threat, because he believes “that kind of thinking drives division between those responsible for IT risk and the rest of the organization.”
It is, however, true, that “colleagues can deliberately or inadvertently put the organization’s data and IT systems at risk or have their accounts compromised,” says Hackland.
It’s a scenario that John Petrie, CEO (and former CISO) of NTT Security, has seen play out in his customers’ organizations as well as his own. “The threat is not just confined to enterprise employees, but any [person] who interacts with the enterprise, across the board,” he says, adding this can include independent contractors, third-party vendor employees and security personnel themselves, along with those working in human resources, finance or manufacturing.
Indeed, Petrie says that within the first month of accepting NTT Security’s top job last fall, he himself was attacked by bad actors who saw him as an enticing target for both his access and his company’s information. To combat breach attempts through him or other top executives, Petrie says he instituted policies to guard against business email compromise and resisted the temptation to increase his controls or access.
“Leaders need to do themselves what they tell their employees to do, even if it’s ‘inconvenient’ to log into a third party to access a SharePoint drive at the airport or something similar,’” he adds. “I get it. But if I break or bypass the rules, others will too.”
As a rule, it is human nature for effective employees throughout an organization to look for the easiest solution, the best workaround. They prize convenience – and this can fly in the face of embracing the best security practices. They often, too, are well-positioned to carry out nefarious activities.
The Crowd Research Partners 2018 Insider Threat report surveyed 472 cybersecurity professionals, more than half of whom [53 percent] said that an insider attack had definitely happened at their organization in the last year. And nine out of 10 respondents said they feel that their organization is vulnerable to insider attacks. Similarly, Ponemon Institute’s 2017 Cost of Data Breach Study found that 47 percent of all enterprise breaches are caused by employees, either operating for their own gain or to damage the organization, or unknowingly being compromised.
“The threat comes from employees having access to valuable or sensitive data, combined with the often unavoidable fallibility of human error,” says Claire Wiggill, vice president for strategy and business development at BPM platform provider PMG.
Yet, “access to IT systems is essential for so many of us to be able to do our jobs,” says Wiggill, who stresses that managing access is key to guarding against insider threats. But that’s where many organizations fall short.
According to a recent research study by PMG, 44 percent of millennials, 30 percent of GenXers and 16 percent of baby boomers reported that they still had access to applications from at least one previous job. The ability to access a former employer’s data and networks – even ones to which the employee should not have had access in the first place– is still a common problem. “An organization should have a record of who has access to what data that can be reported on and reviewed at any time,” Wiggill cautions. “And in the case of sensitive data, not just ‘at any time,’ but actually at certain, prescribed times for auditing purposes.”
To accomplish this, Wiggill recommends enterprises institute an internal audit practice to create better and more consistent governance. “People are a great asset,” she says, “when given a clear pathway to identify and report possible security issues.”
KnowBe4 founder and CEO Stu Sjouwerman points out that the reason cybercriminals will target human weakness is that it is typically easier and more common than tracking flaws in a network. “These bad guys are business people, their time is money,” he says. “If they want to find vulnerabilities in software, it may take weeks, but finding a vulnerability in a person can take minutes. It’s the path of least resistance.”
Human problems, human solutions
Until recent years, the perspective in enterprise IT security has largely been that breaches are primarily a technological concern that should be solved with “filters and updates and shiny new security software,” according to Sjouwerman. “But it is a combination of technology and people. IT security teams need to consider security culture, get those employees in their own corner and make them the last line of defense.”
Attitudes are changing though, as a rapidly rising number of large and small-to-mid-sized enterprises are managing more consistent security policies and training employees to understand what to do, day-to-day, and what to look for. Within the past five years, KnowBe4 has conducted security training with more than 23,000 business customers.
Most human errors are innocent. An employee absentmindedly opens a legitimate-looking attachment, or an eager-to-please human resources employee releases confidential personal information while responding to an email that appears to belong to a top executive. “People often don’t realize the risk their actions have on a company’s security posture,” says David Pignolet, CEO of SecZetta. “A wrong click on an email or accessing company files on personal devices can easily lead to a breach; after all, it is usually the weakest points hackers target.”
As organizations seek to create more dynamic and efficient environments, embracing remote access through an assortment of mobile devices and cloud support, even the very concept of having a ‘perimeter’ for the network becomes fuzzy. Whereas in the past, an organization’s barriers were very well defined, Sumir Karayi, CEO of 1E, says that “today’s level of access and flexibility brings with it an opportunity for the employee to contribute much more than they have in the past, but it also brings with it dangers… Today, businesses are incredibly porous.”
Tim Woods, vice president for technology alliances at FireMon, says “many employees simply don’t understand that their credentials are the number one target of hackers, and how clicking on a bad link or downloading an infected attachment can be the opening shot in compromising the entire corporate network and its data.”
Hence, nearly all of the high-profile cloud data breaches that have made headlines over the past few years were the result of human error, according to Woods and other security experts. “[Breaches at] Microsoft, World Wrestling Entertainment, Time Warner Cable, FedEx and Verizon, to name just a few, were all caused by cloud misconfigurations,” Woods points out. He believes these misconfigurations typically occur when teams developing and deploying applications lack required security skills related to Amazon Web Services or Microsoft Azure, for example.
But often, it’s even more basic – an employee finds an unused USB stick laying on the floor (left behind by a hacker) and inserts it, or uses passwords that are too easy. In early 2018, a Department of Homeland Security employee caused a huge security stir by leaving behind sensitive Super Bowl security documents on an airplane. Many people do not even consider their behavior insecure or risky – they see them as shortcuts or a means to encourage or allow for teamwork. More than one-quarter of respondents to a 2018 security survey sponsored by Shred-It admitted that they often leave their work computer unlocked when they’re not there.
With employees feel overworked, “they’re more like to take the quicker path, forget to change a password or cut corners, or leave confidential files out open on a desk,” says Petrie.
Prior to becoming a PMG customer, a large education enterprise with more than 35,000 active employees didn’t disable a worker’s network account when he left the company, Wiggill says, and a bad actor that managed to obtain the former employee’s password through brute force was able to get access to the server, and eventually gain root access in an attempt to run a virus. “There was no real institutional process to manage the deprovisioning of network accounts securely,” she says.
Sjouwerman points out, “It’s more of a question nowadays of which recent data breaches were not caused by some human error, than which ones have been.”
One might assume the up-and-coming generation of employees entering the workforce – those who have grown up with the internet and mobile phones, and have always been aware of the lurking cyber-crime specter – would just naturally come to work with better security hygiene.
But according to the 2018 SailPoint Market Pulse Study, that’s sadly not the case: a full 87 percent of people aged 18 to 25 admitted to reusing the same passwords, with almost half of them doing so across personal and work accounts. Nearly one-third of these respondents [31%] also said they have installed software on their business devices or networks without authorization from their IT department. This so-called practice of “shadow IT” has risen sharply since SailPoint’s 2014 study, when only one in five employees said they were installing software without permission.
People power
Because even the most well-intentioned employees are fallible, organizations still need to do their part to beat back the rising tide of attempted compromise. Security awareness training is a critical, foundational, and still-too-often under-utilized tool that enterprises can and should enlist, according to Petrie. “And I’m not talking about the once-a-year PowerPoint presentation,” he says. “Humans are human, and they will make mistakes. Training programs must evolve.”
Especially as media-driven millennials increasingly flood into the working world, Petrie and other security experts are pointing out the need for more bite-size, accessible training – online as well as in person – that covers a broad expanse of possible issues and tries to connect with employees in a way that is meaningful to them. “If there’s a hack, we quickly create new security teaching material that relates to that,” Petrie adds. And NTT Security is also standardizing its employee onboarding process to help reduce the risk of giving any employee – even executives – too many privileges or failing to change their access when their status changes.
“From a global perspective, it’s... important to make sure that onboarding and security controls are consistent across the entire company,” Petrie says. NTT Security’s parent company has nearly 1,000 separate businesses worldwide, Petrie notes. “We have to come together and create a baseline that all our companies will follow. Standardization and identification is part of everything we do. It comes back to communication and training. The technology is not the main issue here. The failure of technology is not the cause of the hack.”
Wiggill agrees that many, if not most, security gaps are the result of poor business processes, or even just outright employee negligence. “Role-based access provisioning is one of the best ways to control system access to ensure that an employee only has access to the specific systems needed to fulfill their job responsibilities,” she says.
Tapan Shah, managing director for Sila Solutions Group, says that organizations that make identity management the backbone of their cybersecurity programs and that incorporate process analysis, governance, and organizational culture shifts into their approach are “in a much stronger position to avoid, detect and respond to IT security issues. These organizations empower their employees to be active and aware participants in maintaining the security of their enterprises and of their own digital identities,” he continues.
But in the end, industry experts say it all boils down to creating a culture of security throughout the organization, from the top down, and integrating myriad security training techniques and methods to make sure the message reaches all employees. “Security training should be part of the entire hiring process from recruiting to employee engagement,” says Pignolet. “Companies have gamified just about all aspects of the enterprise to educate and excite employees. The same should hold true for cybersecurity. Companies should find ways to make it fun and engaging and not just enforce policies that seem to slow down the business rather than protect it.”
Hackland stresses that “transparency is critical in education,” and urges companies to “be open about what monitoring is in place and how it is used.” Williams adopted a “people-centric approach to IT risk. Trust, but verify, became our strategy” in 2014, he says, explaining that the company uses the Dtex User Behavior Intelligence platform to protect its Formula 1 confidential information.
The company uses “every published breach example as an opportunity for education,” says Hackland.
He recommends meeting “every new starter in your organization,” noting that “they’re obvious targets, especially in the first weeks of their employment after they update their LinkedIn profiles.” Williams now “runs ‘Lunch and Learn’ sessions on a wide range of topics,” he says, noting he recently led a session on protecting personal identity online. “People who are risk-aware in their personal lives will be better prepared for risks in their working lives.”
Woods also concurs that the important thing organizations can do to reduce risk is to implement education and awareness programs that “focus on making security a priority [by] integrating security at the start of every new initiative, rather than leaving it as an afterthought.” Underscoring the importance of leadership buy-in, Woods points out that all stakeholders – from the CEO to entry-level employees – must be properly educated on security efforts and work together toward the common goal of reducing enterprise risk.
“Data is a company’s currency and, as applications are deployed, the question of who has access to that data must be answered and verified,” Woods says. “Organizations must have complete consistency of security policy enforcement across hybrid environments – or as close to 100 percent consistency as possible, with a defined plan outlining how to handle the risks created by any gaps.” n