Cybersecurity: Always keep in mind its human component
Protecting hardware and software against cyber threats may require a lot of highly technical skills but it is fairly straightforward, considering how direct the causal relationships are between IT vulnerabilities and data breaches. To illustrate, if a zero-day vulnerability is discovered by information security (infosec) experts, developers must find a way to patch it before cybercriminals can exploit it.
Indeed, IT departments have countless hardware and software protection tools at their disposal, such as anti-malware programs and network firewalls. However, they must always keep in mind that their biggest vulnerability by far is the human user. This is primarily due to three reasons: people make mistakes, people can be lazy, and people may not feel that they are part of the organization’s cybersecurity efforts.
People are prone to making mistakes
Fraudsters take advantage of staff members’ weaknesses all the time. For example, a phisher may send employees a fake email saying that company accounts may have been compromised in a hacking campaign. The email will go on to say that account holders must log in and change their access credentials to keep their accounts accounts safe from takeovers. Out of sheer worry, some email recipients click on the link provided and arrive at a spoofed login page.
Unbeknownst to them, as soon as they submit their login details, they’re actually handing over their credentials to the phisher. That cybercriminal will then go to the real login page, sign in using the stolen credentials, then change the username and/or password to lock the original user out of the account. The hacker is then free to pose as the victim, roam around the company network, and steal as much data as they can get their hands on.
Organizations must always keep in mind that their biggest cybersecurity vulnerability by far is the human user.
Zero trust: A way to cover people’s fallibility
There are plenty of ways to fool people, so one way to manage this risk is by minimizing the consequences of staff members falling for fraudsters’ tricks. In a zero trust security model, the organization assumes that their network has already been infiltrated, which means that mere entry no longer signifies trustworthiness.
Therefore, users who enter the network are only granted access to the data and apps they need to accomplish their tasks. This means that if a hacker overtakes a marketer’s account, they won’t be able to dive into the accounting department’s drives and steal from their folders. Rather, the hacker will be limited to what the authentic user has access to.
Machine learning-powered tools
Another way to cover for people’s fallibility is by being smarter at nipping hacking instances in the bud. To illustrate, identity and access management (IAM) programs can now identify the IP addresses of the devices on which logins are made. Thus, if a user normally logs in from Salt Lake City but suddenly pops up at Melbourne, Australia, then the IAM program can flag that instance as suspicious.
Additionally, there are now many machine learning-powered network monitoring tools that can be trained to identify normal and innocuous behaviors over time. Once behavioral baselines are established, the tools can identify suspicious activities that the IT department must investigate.
People can be lazy
There are many small things that require the barest of efforts but staff members fail to do out of sheer laziness. For instance, they’ll forget to lock their computers when they leave their workstations. This lets unauthorized users take over the station, launch browsers, and open tabs for email and other accounts that the authentic user are signed into.
At other times, people just tend to use the most convenient methods available to them. They’ll use short and easy-to-crack passwords or reuse passwords for multiple accounts if they can. And even when they’re required to change their passwords regularly, they may just use a base phrase for all of their passwords, then add month and year to make them unique from one another. While this may look ingenious at first, it actually introduces predictability. That is, if a hacker gets a hold of an expired password, they can easily guess what the current one may be.
Multi-factor authentication (MFA): Require users to submit more proofs of identity
The most popular solution to the problem of passwords is tacking on more steps during the login process. One may be asked to submit a one-time passcode from an authenticator app, or they may be asked to have their fingerprint scanned. Considering how password-based systems are currently the most prevalent identity authentication tools today, building on top of these systems is intuitively the next logical step because developing and implementing entirely new systems requires much more effort.
As previously mentioned, it’s easier to add extra steps to existing processes, but MFA runs counter to the frictionless login experience that users want. This is why new methods such as passwordless authentication methods have been introduced, such as hardware security tokens and advanced biometrics.
People feel they’re not a part of the company’s cybersecurity efforts
According to a 2014 study, staff members often see themselves as outside of an organization’s cybersecurity efforts and are therefore lazy about cybersecurity or tend to do things without the company’s information security in mind. Reversing this mindset requires overhauling corporate culture, which is no easy feat. Another study suggests that companies need to take these five steps to improve their infosec culture:
- Pre-evaluation: Analyze existing infosec policies and determine how aware employees are of such policies and infosec as a whole.
- Strategic planning: Set clear metrics and targets when creating an infosec awareness program.
- Operative planning: Involve managers so that security awareness and training programs become a regular part of their responsibilities. They must strategize with IT experts so that infosec becomes integral to the company’s culture.
- Implementation: The steps laid out during the prior stages are executed. Actual performance metrics are recorded during this stage.
- Post-implementation evaluation: Actual metrics are compared against expected results or targets to see if the organization is on track and where they must improve their efforts. Henceforth, the process of evaluation, planning, and implementation becomes cyclical.
What we’ve shown you so far is just the tip of the cybersecurity iceberg, which is why countless organizations in Salt Lake City and beyond rely on NetWize for their infosec needs. Let our IT specialists take care of your company, too. Request a FREE consultation today or call us at 801-747-3200.