Staff should act as substantial barrier to cyber criminal’s attempts to get to data rather than offering an open door, says AJ Thompson, pictured, CCO at IT firm Northdoor plc.
Cyber criminals targeting staff within organisations as the weakest link is nothing new. For years, users have been considered the chink in an organisation’s cyber armour and it’s easy to understand why.
With increasingly sophisticated tactics, cyber criminals are able to target users by sending convincing emails with malicious links embedded within them. One click on the link and suddenly the user has a device full of malware. Sending a colleague a username and password through email can be easily intercepted and staff working out of the office leaving their laptop open or connecting to insecure WiFi, can all result in cyber criminals getting access to devices.
There is also a misconception from users that their online accounts hold no value for cyber criminals, meaning that they do not necessarily place the same emphasis on protective measures as they would do with a ‘work account’. However, with the rapid increase in home or hybrid working, more are using their personal devices for work purposes, meaning that if their own laptop/tablet has been infected, suddenly, their organisation’s data and infrastructure is at risk.
As a result of all of this, companies are under more pressure than ever to increase security levels, remind their employees of the risks and what they should be doing to better manage those risks.
Security alert fatigue
The nature of many of the security solutions is that they can become so regular and generic that they are eventually ignored by users. An alert warning a user that they are about to reply to an external sender quickly becomes irritating and consequently ignored. We become blind to these alerts in a phenomenon called ‘security fatigue’.
This is a particularly dangerous situation, and one that cyber criminals are increasingly looking to exploit. Essentially staff members are reaching the limit of how much information they can process, leaving them in a position where they are unable to make a rational decision.
This means that employees can behave impulsively as a result, making decisions driven by immediate motivators, avoiding unnecessary decisions and instead, selecting the easiest option. This results in people using the same password or PIN for every account, disabling security alerts, abandoning activities when required to go through additional security measures.
These activities make the life a lot easier for any cyber-criminal looking for the route of least resistance into an organisation’s data or infrastructure.
Training should be a constant rather than a one off
Companies have attempted to bolster their security by scheduling security awareness training for employees. However, one off sessions or yearly reminders simply do not do the job.
For one, employees will forget much of a session unless the lessons are repeated regularly. Secondly, cyber-criminals are constantly changing and adapting the methods they use to attempt to gain access. With a changing threat landscape, it is easy to see how a one-off session quickly becomes irrelevant.
Even though the consequences of a security breach can be monumental for an organisation, the responsibility lies with a small group of administrators and security teams to try and prevent these issues – and to step up and fix things when they inevitably go wrong.
Training is important as are the traditional cyber defences most companies have in place . They can both be effective against weak security threats, however, they often fail to stop the more sophisticated threats, such as social engineering attacks from getting through. For these more complex threats a different, more thorough solution is required.
Reduce security fatigue
To combat security fatigue and to ensure users are only alerted at the point of risk, some companies are turning to software that provides real-time teachable moment. This empowers users to take charge of their own security behaviours, in turn reducing human activated risks on email.
This proves to be much more effective than generic training sessions that employees will forget within a couple of days or bombarding them continuously with security notifications that they eventually ignore. This software is often made up of three components:
Defend: designed to stop inbound phishing attacks by adding coloured warning banners
Prevent: displays information as the user is composing the email to help them catch their own mistake before it impacts on the wider business
Protect: determines the risk of a breach as data is shared
Empowering users
Leveraging such technology to help empower employees to make their own security decisions reduces the increasing burden on admin and security teams, allowing them to focus on other, business critical aspects of their roles that could otherwise be more neglected.
The key is to integrate these real-time teachable moments into employees’ day-to-day work, allows them to apply what they have learned from their training to real-life situations. This approach is also designed to make your employee feel that they are being educated rather than being policed. It empowers them to make informed decisions about security and changes the dynamic within organisations.
Instead of worrying about users being the weakest link within an organisation, they are transformed into informed and empowered decision makers, transforming them into your strongest security asset.
