Author: Paul Gillin
A recent cyber security breach that compromised the accounts of prominent Twitter users was the result of phone phishing, which highlights a troubling new problem for security administrators: Their biggest threats are frequently the people within the four walls of their businesses.
The human element in cyber security is less about the deliberate criminal actions of insiders than innocent mistakes made by people who fail to apply basic controls such as limiting permissions on cloud databases, or who fall prey to seemingly legitimate e-mails that fool them into clicking on malicious links.
What can you do to mitigate the risk your employees unknowingly create?
The statistics
Verizon's 2020 Data Breach Report ranked mis-delivery and misconfiguration—inadvertent exposures of data caused by human error—as the third and fourth most common causes of breaches in 2020, respectively, up from sixth and eighth places in 2015.
Human factors of cyber security have been behind some of the biggest data breaches in recent memory. Last year's massive theft of 100 million records held by Capital One was caused by a misconfigured firewall. While last fall, thieves swiped more than 24 million user account records from Lumin that had been left in the open for months. FedEx was in hot water two years ago when it was revealed that nearly 119,000 documents, many of which contained highly sensitive customer information, were left unprotected on an Amazon S3 storage instance. And, according to Gartner, “through 2025, 99% of cloud security failures will be the customer’s fault.” 1
What can be done?
The simplest approach is to educate end-users about the human element in cyber security. At work, employees need to be aware of the risks of clicking on links in emails from unknown senders or senders masquerading as known sources through techniques like address spoofing. And managers need to stress the importance of employee vigilance. Verizon found that email was the delivery mechanism in 94% of malware attacks in 2019. Nearly all incidents of the devastating new form of malware called ransomware are triggered by phishing links.
Simulated attacks
IT organizations can go beyond education, though. By periodically conducting simulated phishing attacks, they can pinpoint the most vulnerable users and single them out for education. Consider setting up a dedicated internal email account, and invite users to forward suspicious emails to be checked before taking action upon them.
Misconfiguration
Education is also needed to avoid misconfiguration risks. Organizations have eagerly embraced cloud platforms to give users more control over their computing needs, but many have not provided sufficient training about the shared responsibility model that is common to most cloud platform providers. That rule states that the cloud takes care of securing infrastructure, but users are responsible for securing access, applications, storage and the operating software stack. Enterprise Management Associates (EMA) reported last year that 53% of IT and security professionals believed cloud infrastructure providers are accountable for most or all public cloud security. It's safe to assume that awareness is even lower in the user community.
Visibility
IT organizations can also work more closely with their cloud providers to improve visibility into what users are doing with their accounts. The EMA study also found 73% of enterprise security teams said lack of visibility within cloud infrastructure limits their effectiveness. While cloud providers are working hard to address the problem, customers can apply their pressure to ensure that the controls needed to lock down information are clear and easy to use. IT organizations can also take the simple step of implementing multi-factor authentication on cloud accounts so that precious data isn't protected by an easily guessed password.
Investing in the right technology
Organizations should have an incident response plan in place, so IT administrators and security professionals can quickly bring resources to bear to mitigate the impact of an attack once it begins. Likewise, consider learning more about cyber risk monitoring services and how they can find and report on the biggest gaps in a company's security, including its employees.
The author of this content is a paid contributor for Verizon.
1 Smarter With Gartner, Is the Cloud Secure?, October 10, 2019, https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/.