Note: This is Part 1 of a two-part series.
As it relates to cybersecurity, most leaders are aware of threats from malicious hackers, and some companies also face threats from nation-states and organized crime. However, non-malicious or unintentional threats also pose cybersecurity dangers to organizations.
Whether malicious or not, security professionals believe that people represent the biggest risk to cybersecurity, according to the 2019 State of OT/ICS Cybersecurity Survey by SANS, which provides cybersecurity training.
When 348 security professionals — representing information technology, operational technology, and hybrid IT-OT domains — were asked to identify the greatest risk to compromise, 61% chose people, compared to 22% who identified technology, and 14% who selected processes and procedures.
Why people are the greatest risk
"People are at the core of the risk equation, for several reasons including that all incidents effectively start with a human, malicious intent or not," according to Barbara Filkins, senior analyst at SANS.
To some extent, that sounds depressing, considering that there are myriad cybersecurity solutions available. But as indicated by the survey respondents, perhaps that’s why technology and processes are ranked much lower.
"The hardware, software, and security solutions we have available to us today as IT professionals to secure private networks from malicious attackers and minimize outsider threats and vulnerabilities are actually amazingly powerful and really quite strong and quite difficult to circumnavigate by cyber criminals." Those words of comfort are from Michael Nizich, Ph.D., and actually raise more questions. Nizich is adjunct associate professor in the department of computer science at the New York Institute of Technology, director of the school’s Entrepreneurship and Technology Innovation Center (ETIC), and director of the NSA/DHS CAE Cyber Defense Education Program.
He explains that these complicated systems must be properly configured and made to work collaboratively with other proprietary solutions also running on the same network.
"The human implementers of security solutions are naturally prone to mistakes and oversights as in any other profession." The second risk is actually ironic: since properly configured systems are so difficult to bypass, Nizich says the cybercriminals have found that the most natural and easiest way into a network is now through its users.
"The rapid advancement of security technology has placed more information at risk because the system users have now become the target of cybercriminals instead of the systems themselves," he explains. "This tactic or modus operandi known as social engineering is the most common form of attack today."
How your employees are at risk for compromise
So, what are your employees (and also you) — specifically doing to jeopardize your company’s cybersecurity — and how?
For starters, with the growth of bring your own device (BYOD), employees are bringing more than their smartphones and tablets to work — they’re also bringing potential risks. "Employees are accessing sensitive corporate content on the same device from which they are checking Facebook, downloading games, and emailing friends and family," according to Eric Williams, founder and CEO of ijura, a cloud-based cybersecurity platform.
Since their personal devices are outside the scope of corporate device management and security policies, Williams says both the devices and applications are exposed to hackers and cybercriminals, creating a potential backdoor to access corporate information and networks.
"Either through error or lack of awareness/education, more people are using their mobile devices to access sensitive data." In fact, he says many of the biggest data breaches in 2018 were the result of unintentional disclosure of data. "Users make ill-advised decisions about the apps that are able to see and transfer their information, such as gaming apps that hide in the open and gain users’ trust before stealing data."
Williams provides another example of employees accidentally transferring company files to public cloud storage or forwarding a sensitive email to the wrong recipient. "These social engineering threats are usually carried out by digital ‘phishing’ or its more targeted offshoots, ‘spear-phishing’ or ‘whaling’ — often experienced as fraudulent email purporting to be from a legitimate source."
If employees take the bait, they may end up with malware-laden attachments which can infect their computers, or they may be guided to phony websites where they are tricked into providing such sensitive data as usernames and passwords.
Cybercriminals are using increasingly sophisticated levels of deception and/or intimidation to gain unlawful access to systems and data. "Figures from this year’s Microsoft Security Intelligence Report show that phishing attacks are currently among the most rapidly increasing types of cyberthreats, increasing by a massive 250% in 2018," Williams says.
But it’s not just the employees who pose threats. Executives, who have access to critical systems and unchallenged approval authority, are considered high-value targets. "Senior executives are typically time-starved and under pressure to deliver, so they quickly review and click on emails, or have assistants managing email on their behalf, making suspicious emails more likely to get through," Williams says.
According to the survey, other unintentional threats are posed by service providers, contractors, and equipment suppliers.
Part 2 of this series will examine the cybersecurity risks posed by technology and processes, as well as ways for companies to remain secure.