We all make mistakes. We are only human, after all. Unfortunately, when it comes to cyber security, that’s also kind of the problem. The Human factors in cyber security are perhaps the biggest challenge when building an effective threat prevention strategy.
Human error is the leading cause of data and security breaches, responsible for 52 percent of such incidents. It was a person, lured by spear phishing, who opened the gates to the Democratic National Committee attack last year, as well as major hacks against Snapchat and the health care industry — to name a few examples of that human factor.
Socially engineered threats circumvent many cyber security systems by preying on human error. They use psychological manipulation to push users into performing an action or providing information. In the case of email attacks like phishing, this often involves clicking on an embedded link, downloading malware like ransomware or offering passwords and financial authorization.
An increasingly common example is Business E-mail Compromise (BEC), when a hacker targets corporate executives with communications that use crafty copy and design to appear like they are from a trusted source. The attacker then asks for a wire transfer of money. According to the FBI these attacks have cost organizations more than $2.3 billion since 2013, with a 270 percent increase since January 2015 alone.
“The weakest chain in cyber security is the human being. It’s the lowest hanging fruit. Most of the attacks we see in the field right now are targeting uninformed people,” says Yves Lacombe, Technical Support Director at Vircom.
He continues: “The simple solution is if someone emails you something that looks legitimate, you still approach it with a reasonable amount of doubt. If somebody asks you to do something that has a monetary impact, always get a verbal confirmation.”
To Lacombe, this requires two-factor authentication IRL. That means training users to pick up the phone and ask the person who emailed them if they indeed requested the money. “You need to cultivate healthy skepticism about anything transactional related to email. People are too trustworthy,” he says.
He points to a recent example from a documentary, where a social-engineer hacker at Def Con uses the psychological pressure of a screaming baby to get a phone company to lock the interviewer out of his own account.
“The customer service person could have foiled this attack by saying they would only act if they could call her back on her home number beforehand. Alternately, you should also implement a pre-agreed upon password that would be near-impossible to guess or Google, so not your mother’s maiden name. It all comes back to two-factor authentication,” says Lacombe. “Better yet, only authorize customer service staff to speak to the account holder and not the spouse!”
Here a few tips for preventing human error in cybersecurity (or at least trying to).
Take users phishing!
Unless you work with an especially tech-savvy bunch, many of your end users may not even know what “phishing” is. Provide basic cyber security awareness training to them so they can not only identify threats, but appreciate the work you do and the gravity of the situation. If you want a humorous way of doing it, check out our post “Advanced Metaphor Protection: cybersecurity vs. cyber semantics”.
Is the sender also the receiver?
Vircom’s Email Security Operations Lead, Marc Chouinard, points out hacker emails and phishing attacks will often come from a sender address that is different from the reply address. He says, “In our new product, we check the ‘FROM’ and ‘REPLY-TO’ to see if they are different values. You should still train your users that if they are receiving an email invoice from someone, but the reply is going somewhere else (i.e. a personal email or Gmail), it is likely phishing.”
Hack yourself… Ethically.
Ethical hackers attempt to breach your company’s security systems without malicious intent. Instead, they use it as an educational experience to highlight areas of weakness. Often this means using socially engineered attacks against users to see how they respond. Most recently Airbnb and Spotify asked ethical hackers to test out their systems.
Passwords, passwords, passwords…
Too often, users make their passwords not only simple but similar across professional, personal and social media accounts. If one gets hacked, the whole house of cards comes down. Train your users to create strong, memorable, unique passwords with these 3 easy steps to creating a strong password. To take it a step further, enterprise password managers can also help ensure your users abide with your cyber security policy. For tips and suggestions, check out our blog post “3 Top Password Managers and Why You Need to Use at Least One”.
Think before you link!
Users should know to always double-check with the sender before clicking a suspicious link. Even if it seems to be from a legitimate, trusted source, all it takes is one tap to infect a system with malware. At the very least, users should hover over a link to see the destination and be paranoid of anything with a domain that doesn’t fit with the purported sender.
Create an accessible cyber security plan.
Make a plan that is easily accessible both physically and mentally. Users should be able to see it regularly or pull it up quickly when unsure of what to do. They should also be able to digest the information. Since most of them are likely not IT experts, try to package the knowledge into ‘byte-sized’ chunks.
Don’t be soft with software.
Ultimately, you should be working with a top-of-the-line cyber security vendor who can provide you with the best front-line defence to prevent many threats from even reaching end users. They should also be able to help you with the safe encryption and authentication of your data, as well as moving towards cloud-based solutions.
If you would like to learn more about today’s top cyber security threats and how to prevent them, download our white paper on Cyber Security Trends and Solutions for 2017 with these solutions for the human factors in cyber security and much more.