Systems and networks are only as strong as their weakest links. Humans have long been identified as the leading cause of network breaches. With “5 new cyber threat samples being identified every second in Q1 of 2018” (McAfee), the human factor cannot and should not be underestimated.
Humans are easy targets for cyber criminals. In a previous article (Security requirements: The Non-functional becomes Functional), we spoke about the compromise that exists between security and convenience or ease of use. Given the chance, a human will definitely choose a simpler and easier to remember password, over a more secure and difficult to remember password.
Open VPN reported that in 2018, approximately 25% of users use the same password for every account, while approximately 23% of the same sample set click on a link before verifying the authenticity/purpose of the link. These statistics are particularly worrying as ransomware is a preferred method of taking over users’ machines. 69% of IT managers reported that they had been the target of ransomware attacks in the last three years. Even more disturbing, is the trend for IT managers to pay the hackers’ ransom demands to recover encrypted or stolen data.
This article looks at three key elements you can use to empower the users in your organisation to be effective first lines of defence:
1. Increase efforts and spend on tools to limit the effect of ransomware
The IT department can improve on the techniques and tools used to monitor and manage ransomware attacks. Most ransomware attacks begin with a phishing attack – a seemingly legitimate file that contains a hidden virus which then attacks the computer system/network. Users also need to be informed on how to identify and report phishing attacks. The IT department, in turn, needs to be aware of how to handle them. Having multiple backups (online and offline) will help recover key data and limit downtime.
2. Improve password policies
The cybersecurity environment has changed so much in the last five years, that simply having a password is no longer enough. There are often jokes about password policies requiring you to submit your DNA, as well as a receipt of the meal you had last year to verify your authenticity. In truth, passwords are out, and passphrases are in. The ability of a human being to remember a pseudo random sequence of upper and lower-case letters, numbers and special characters is limited. IT needs to assist the users by providing tools that can generate and safely store passwords. Where there are no tools available, users may memorize a combination of words to form a passphrase instead of a complex password.
3. Educate on cybersecurity and social media impact
Social media has brought many positives by enabling greater connections between people all over the world. With this comes a culture of sharing. While seemingly harmless, people share a lot of information that can be used to create targeted phishing attacks. In general, cybersecurity risks are not well understood by users, and so the organisation needs to improve security education. Some organisations even go as far as simulating phishing attacks by sending emails or links to their staff, aimed at testing the employees’ awareness of cybersecurity risks.
By following the points above you can improve the first line of defence (humans) and move your organisation to a safer, more secure system and network.
The cost of users being negligent about cybersecurity threats can be huge. Get in touch with us to help you maximize the security posture of your organization and network.