The Key To A Holistic Cyber Security Program: The Human Element
There are now more devices connected to the internet – around 8.4 billion of them – than there are people on earth. These devices have become integral to our everyday personal and professional lives. With ever-increasing global connectivity transforming the way we live and work, businesses are facing new avenues for innovation and growth. However, this trend also increases the opportunities for criminals to launch new, record-breaking cyber attacks, with startling regularity.
Unsurprisingly, businesses are concerned; in Aon’s 2017 Global Risk Management Survey cyber crime is ranked as the number one risk in North America and number five globally. It’s not just financial institutions and organizations that handle personally identifiable information (PII) that are at risk. The impact of cyber threats extends into the physical world as much as the digital – causing electrical outages, shutting down assembly lines, tampering with critical infrastructure, and other significant interruptions.
By 2019, the cost of breaches is estimated to increase to $2.1 trillion – indicative of the wide-ranging implications a cyber breach can have on a business. Upfront impacts include loss of critical assets and data, regulatory fines, business interruption and litigation costs, combined with longer-term costs like damage to brand and reputation.
In this sense, cyber can be an existential risk for enterprises. Global shipping giant Moller-Maersk recently reported losses upwards of $300 million as a result of the NotPetya ransomware attack – and some businesses, especially small to mid-sized ones, may never recover from breaches. Recent cyber attacks, such as WannaCry, have highlighted the global nature of cyber risks both in the speed at which they spread and the scale at which organizations were impacted.
The Threat From Employees
While companies are rightly increasing their focus on external threats, the root cause of many cyber breaches is human behavior, with research showing that for businesses experiencing data breaches in 2016, insiders were responsible for 43 percent of data loss.
Half of the surveyed attacks caused by insiders were found to be intentional and malicious – caused, for example, by disgruntled employees determined to cause financial, physical or other harm to the company. However, many of the cyber risks posed by employees are due to the fact that, as security programs and products evolve to become more secure at a technical level, criminals target employees as the soft ‘way in’.
Employee curiosity, carelessness, urgency, or purely their susceptibility to attacks, are often the weakest links in a company’s cyber security. Many criminal tactics are therefore designed to bypass sophisticated security technologies and exploit simple human error. Social engineering attacks, for example, which deceive people into thinking that the attacker is a trustworthy source, only need one employee to click on a malicious link for malware to be installed on a company’s systems. These attacks are difficult to defend against, especially if employees aren’t aware of what they are looking for.
Managing the threats caused by employees is made even more challenging by an increasingly mobile workforce who often connect their personal devices to corporate networks. Gartner predicts that twice as many devices used for work will be employee-owned than company-owned by 2018. While bring-your-own-device (“BYOD”) policies can lower costs and increase convenience, introducing personal devices into the workplace carries new privacy and security risks for businesses and individuals.
For instance, hackers can target employee-owned computers with lower security controls, or even exploit wearables like smartwatches, to gain access and attack phones, email data, or other sources of sensitive business information. “Access points, whether it’s an IoT connected workplace, or someone’s personal wearable, are increasing. It’s as simple as more people, more access points, more risk,” says Stephanie Snyder, Senior Vice President, Aon Risk Solutions.
What Can Businesses Do To Protect Themselves?
Recent cyber attacks, such as WannaCry, have highlighted the global nature of cyber risks, due to the speed at which they spread, and the scale at which organizations were impacted.
Given the impact that cyber risk can have on a company’s finances and ability to operate, boards and executive management teams need to be doing more than leaning on IT departments and investing in software solutions. As the risk impacts the enterprise at every level, security and business leaders need to adopt a holistic approach to managing cyber risk.
It’s critical to create a multi-disciplinary team from technical, legal, compliance, finance, human resources and other departments, in order to assess the impacts that the organization’s technical vulnerabilities could have on the business, and align security with business objectives. The team can then prioritize which risks and vulnerabilities need to be addressed, through a mix of technical remediation and insurance products. Incident response plans and policies that are implemented must be routinely tested and continuously updated, to ensure a unified reaction to any incidents.
As part of their wider cyber security program, for businesses to effectively anticipate and manage the external and internal cyber risks in today’s connected world, they will need the co-operation of their most important assets: their people. If companies are overly focused on technology, and do not address the human element in their vulnerability to cyber risk, they will not be able to deploy an effective strategy overall.
“At a minimum, companies should implement robust training and awareness programs,” says Jibran Ilyas, Managing Director, Incident Response at Stroz Friedberg, an Aon company. Ilyas recommends that businesses take steps to ensure employees:
- Know how to identify and deal with fraudulent behavior
- Are aware of the risks posed to their devices
- Don’t overshare critical or personal data
- Know how to safely dispose of personal information
- Use encryption where possible.
Companies must also foster a culture in which employees feel comfortable reporting possible security breaches, incidents or scams without fear of negative repercussions or being penalized.
While employees’ own actions might pose a significant threat to an organization, business and security leaders must create an environment in which security is viewed as a shared responsibility, and communicate that its people are a key component in safeguarding its most critical intangible assets.
“Given that 95 percent of attacks involve some human interaction with technology, building resilience also means changing behaviors to improve cyber hygiene…and having the right skills to drive technological innovation to stay ahead of attackers” – Sir Julian King, European Commissioner for Security Union
“As the number of connected things has grown, so has the determination of cybercriminals to exploit them. Businesses might not think about the cybersecurity settings of their photocopiers, for instance, yet 2016’s Mirai malware used hundreds of thousands of IoT devices to create a botnet that took down popular proxy server Dyn and, with it, nearly one third of websites globally” – Cara Sloman, Executive Vice President, Nadel Phelan, Inc
- Is Automation The Future Of Cyber Security? – CIO, October 10, 2017
- It’s Time For Internet Of Things Regulation – TechTarget, February 15, 2017
- Ex-Equifax Boss Details Errors Around Data Breach – Financial Times, October 3, 2017
- Human Error And Cybersecurity: 4 Ways To Mitigate The Risk – Huffington Post, May 10, 2017
- New Bluetooth Vulnerability Can Hack A Phone In 10 Seconds – TechCrunch, September 12, 2017
- NCSAM Resource Center – Stroz Friedberg NCSAM Resource Center
- Are You Ready For An Attack? Mistakes The Almost-Prepared Make – Stroz Friedberg Blog
- Simple Steps To Online Security – Stroz Friedberg Blog
- Flexing The Human Component Of Cybersecurity – Stroz Friedberg Blog