Vigilance the key IT Security skill – but can humans master it?
- Cybercrime in all its forms — such as email scam and ransomware — won’t slow down any time soon. They’ll occur more frequently and deal greater damage.
- The pandemic and the normalization of remote work has multiplied the security risks faced by individuals and organisations.
- Humans are the weakest link in IT security.
- Employee awareness is a key part of the defence, but there’s an important role for software that fights “vigilance fatigue”.
In the midst of a global pandemic, it’s easy to lose sight of the other plague – cybercrime. Costing trillions of US dollars (in ransom/extortion revenue, financial theft, sales of stolen data on the black market, and total damages), cybercrime includes data breaches, email fraud, cryptojacking, denial of service (DoS), identity theft, SMS texting scams, and ransomware attacks.
More recently, the first half of 2022 has been dotted with a string of visible criminal activity. Companies like Microsoft, Nvidia, Samsung, Okta, and T-Mobile fell victim to data breach attacks by the international hacker group LAPSUS$. In April, the Conti ransomware gang attacked Costa Rica’s Ministry of Finance. The attack disrupted the country’s import/export businesses (losing tens of millions of US dollars per day) and forced its president to declare a national emergency – a historic first in the database of cybercrime.
To err is human
The relentless spate of attacks has compelled more and more enterprises, managed service providers, and small to mid-sized businesses (SMBs) to adopt a Zero Trust security mindset. This radical shift not only spurs the development of more powerful countermeasures that utilize sophisticated AI and other technologies. It also entails an environment where vigilance is a key norm.
But as countermeasures develop, threat actors continue to get better at what they do – enabling cybercriminals to demand higher ransoms, steal more data, and cause greater damage. Making matters trickier, the frontline of this protracted arms race is manned by the weakest link in the network: humans.
Humans, with all our flaws and unpredictable behaviour, tend to play a common role as the gatekeepers of data. We are also the only network component that easily succumbs to vigilance fatigue. In fact, an Egress study found that 40% of massive data breaches succeeded by exploiting distracted and stressed out employees. A separate research paper with near identical conclusions further noted that while companies focus their security investments largely on tech-heavy solutions, an outsider’s ability to breach your defences often relies on internal employees’ awareness and the level of risk they are willing to take as they perform different tasks.
Sometimes, you don’t even need to be so stressed or distracted to fall for a con. The ransomware attack that shut down Ireland’s public healthcare system infected the network through a single workstation whose user clicked on an email attachment that appeared to be a legitimate Excel file.
Meanwhile, the slow-moving senior IT executives who opted NOT to implement an already approved and funded security upgrade proposal at Maersk might have seriously impaired the company’s ability to defend itself against NotPetya, a disk-wiping malware that can delete a network of all its data in seconds. Partly as a result of flawed human decisions, the world’s largest container shipping line incurred losses of around US$300 million, not including losses incurred by many customers and other organisations in its global supply chain. A multi-awarded author described the cause and the effect succinctly when he said:
“Few firms have paid more dearly for dragging their feet on security.”
Vigilance and IT Security Awareness Training
Human weaknesses and vigilance fatigue unwittingly serve as attack vectors highly favoured by cyber criminals. In fact, Verizon’s 2022 Data Breach Investigations Report show that human vulnerabilities – exploited through phishing, stolen credentials, and social engineering techniques – figured in 82% of data breaches. In its findings, the telecoms giant emphasized the importance of a “strong security awareness program.”
With the pandemic effectively normalising remote work, the attack surface of nearly every company has also significantly expanded. That means access to secure networks becomes more distributed, with many endpoint devices used by remote workers having uncertain levels of protection against malicious activity. Even VPNs have lost the impression of security they offer, having been at the receiving end of sustained targeted attacks in 2020 and 2021.
With or without a VPN, a remote worker can expose your network to a deluge of malware with one wrong click. Such was the case of the ransomware attack on the Health Services Executive (HSE). That particular mistake allowed cyber criminals to access, navigate, and infect the online services of Ireland’s public healthcare system for two uninterrupted months before fully detonating the Conti ransomware.
As remote work dramatically reduced in-person communication, the use of messaging apps, conferencing tools, and email skyrocketed. So did phishing attacks and business email compromise (BEC) scams. The prevalence and damage wrought by these cybercrimes prompted the FBI to issue an official alert in May 2022: citing BEC statistics, warning users of common tactics, suggesting remedial measures, and establishing an estimate on just how much email scams have already cost organisations and users since 2016 – a staggering US$43 billion.
Like in many other types of cybercrime, BEC scams exploit human attributes and behaviour such as innate curiosity, the eagerness to help colleagues in need, or the sense of urgency in accomplishing special tasks directly assigned by superiors (aka scammers pretending to be the boss).
Given the threat landscape, protecting your company takes more than just reinforcing the technologies that constitute your IT security infrastructure. You also need to empower your people. And that goes beyond policies on internet use, app restrictions, financial transactions, and BYOD (bring your own device) standards.
In a poll by Infosecurity Europe, around four in ten respondents believe that awareness training is the best way to mitigate the risks surrounding remote work. They are not wrong. Overall, simulated cyber attack training has been shown to reduce employees’ susceptibility to phishing attacks by as much as 50%. In its 2021 annual report, Proofpoint stated that awareness training reduced phishing susceptibility in the workforce of eight in ten organisations. That went for both simulated and actual attacks. The reduction might not happen overnight but ROI for sustained awareness training is solid, given the incremental improvements and the potential cost of a compromise.
The well-established case for security awareness training makes it an integral part of the NIST Cybersecurity Framework, a federal guideline for private companies developed by the U.S. National Institute of Standards and Technology.
Around the world, managed service providers like Computer One conduct IT security awareness training that can reinforce your company’s human firewall and effectively curb the success rates of cybercrime directed at your business.
An excellent IT awareness training program will have the following characteristics and components:
- Uses an engaging mix of software, classroom training, and experiential learning customised for each unique client organisation.
- Uses simulated attacks to profile your company’s overall vulnerability by mapping the relative exposures of individual staff.
- Provides different types of assessment reports and recommendations.
- Scalable and flexible to accommodate corporate growth, staff turnovers/onboarding, and other changes.
- Oriented towards a proactive cultural shift when it comes to IT security and resiliency.
Vigilance in a Bottle
Nearly all (93%) cybersecurity experts believe that companies should invest in both human and technology assets for detecting and responding to cyber threats. Almost as many cite security awareness training as a key element of cyber resilience.
That’s because it actually works. And when done correctly, IT security awareness training delivers other compelling benefits:
- Affordable way to improve your company’s protection from cyber crime, including insider incidents.
- Cost-efficient solution that helps reduce downtimes (majority of which are caused by hostile activity).
- Three-fold return on investment or more.
- Helps build and sustain a culture of security and compliance.
No industry, market niche, or location is immune to cyber crime. In fact, even cyber criminals prey on each other. And no human can make correct decisions 100% of the time.
That’s why security awareness training is best supported by security-as-a-service solutions that include Security Information and Event Management (SIEM) and Managed Detection and Response (MDR) solutions. Technology that can monitor your network, flag suspicious behaviour and bring it to the attention of dedicated security staff is the best way to detect a compromise early, just after it has managed to evade your security-conscious staff members.
The last word…
Australia ranks among the most targeted nations in the Asia Pacific, based on industry reports and official data. The growing list of organisations that have experienced a notifiable data breach includes JBS Foods, Spotless Group, UnitingCare QLD, Seyfarth Shaw, Toll Group, the Australian National University and Canva.
How protected is your organisation from data breaches, email fraud and ransomware? How aware are your people about cyber threats and how prepared are they to resist them? Combine security awareness training with a managed security service for the best preparation against cybercrime.