Enterprise IT ecosystems can be considered to be an amalgamation of digital technology and people. Enterprise cybersecurity largely focuses on the technology layer – various forms of hardware and software. The human layer, however, is now receiving increasing attention from cybersecurity leaders because humans can do what hardware and software cannot – act independently and override hardware and software controls based on their judgement which may be flawed or misguided. Verizon’s 2022 Data Breach Investigations Report reveals that 82% of breaches involve the human element.
Strengthening the human layer in enterprise cybersecurity presents a unique challenge as, unlike hardware or software which are available as identical copies with identical weaknesses and solutions when procured in large volumes, people are individuals with varying degrees of awareness, interest, comprehension, conscientiousness, and other attributes that influence their ability to always do the right thing at the right time. Instead of viewing people as the weakest link in the cybersecurity chain, organisations can leverage the power of individual agency to guide human actions towards favourable outcomes that cannot be achieved through technology measures.
How Human Actions Impact Enterprise Cybersecurity
Human actions may result in cybersecurity incidents due to i) human error ii) manipulation, and iii) deliberate action. Security teams must analyse how each of these may manifest within the context of their organisation and industry, and develop appropriate countermeasures.
Human error may be the result of a lack of knowledge, lack of tools, or a temporary lapse in judgement caused by fatigue, distraction, or urgency. Examples of human error in cybersecurity include the creation of weak passwords, using administrator accounts to perform tasks that do not require elevated privileges, and connecting an enterprise device to an unsafe public Wi-Fi network. Such errors provide an opportunity for hackers to infiltrate the enterprise and then launch an attack. The Colonial Pipeline ransomware attack that caused fuel shortages in the USA was caused by the compromise of a single password of an unused, but still functional, VPN account.
Manipulation is a favoured tactic of cyberattackers, who use social engineering to mislead computing users into performing actions the users believe are benign but will negatively impact the business. These include
- Opening an infected attachment believing it is a genuine file such as a resume or circular, resulting in a ransomware attack
- Transferring funds to a bank account specified in an email assuming the email was sent by the CEO, resulting in financial loss
- Sharing a password because the request appeared to originate from a supervisor or helpdesk personnel, allowing the attacker to infiltrate the organisation and deploy malware or steal valuable data
Deliberate action, also known as an internal attack, results from an employee, or other stakeholder with access to enterprise IT resources, performing an action with intent to compromise the organisation. The motivation for such an attack is usually greed, revenge, or espionage. Such attacks are difficult to defend against as the attacker is familiar with the organisation’s IT infrastructure and cyber defences and may have access privileges that make it easier for them to launch an attack especially if they occupy a senior position within the organisation’s hierarchy or are a part of the technical team.
Reinforcing the Human Layer
Performing an organisation-wide cybersecurity audit is a critical first step in strengthening the human layer. The audit will identify weaknesses in the IT infrastructure, such as the ability to create weak passwords, that must be addressed. When resolving identified weaknesses, it is essential to ensure that such issues do not occur again. This will require the formulation of a cybersecurity policy that will lay down cybersecurity standards, such as password length and complexity, and provide for technology measures, such as preventing the creation of weak passwords, to ensure that cybersecurity is maintained without depending on voluntary staff compliance.
The cybersecurity policy should go beyond factors that directly impact cybersecurity and address processes that indirectly affect cyber defences, including employee exit formalities that should stipulate and verify that an employee’s access is disabled as soon as they leave the organisation to prevent former employees using their access privileges, or threat actors exploiting unused access IDs, to launch attacks.
Technology solutions, such as K7 Endpoint Security, should also be deployed to protect the organisation against employees being manipulated into opening infected email attachments or malicious links, using infected thumb drives, or connecting to compromised Wi-Fi networks.
Business processes should also be examined to ensure that a single individual does not have discretionary power that can be misused, voluntarily or otherwise. A maker/checker system must be enforced for all significant decisions, such as expenditure beyond a specified amount or providing access to confidential information, to prevent an employee compromising the organisation and to avoid attacks that exploit an individual’s gullibility or compromised credentials.
Cybersecurity training, such as the training provided by K7 Academy, should be provided to all staff to help them recognise cyberthreats and raise an alarm if they witness suspicious activity. Employee awareness is particularly important in stopping phishing and similar attacks that rely on social engineering to attack a user rather than the IT infrastructure of a business. The combination of training and a maker/checker system leverages the exercise of judgement by individuals for the benefit of the organisation, as well-informed and alert employees will be sceptical of unusual or unexpected messages or activity from within or outside the organisation that may not be flagged by technology solutions.
The final component in strengthening human defences against cyberattacks is the development of a culture of cybersecurity in the organisation. Cybersecurity should be made a priority even in the planning stages of any initiative, management must lead by example in following cyber hygiene, and cybersecurity knowledge and track record must be considered in hiring decisions.
All businesses depend on human resources and human customers, which increases the risk of cyberattacks succeeding due to the human factor. The rise of convincing deep fakes and other advancements in Artificial Intelligence further compound this risk, requiring urgent prioritisation of initiatives to strengthen the human cybersecurity layer.
K7 Security provides AI-enhanced international award-winning cybersecurity solutions that protect enterprises against a wide variety of cyberattacks including phishing. Contact Us to learn more about how we can help you creating a safe computing environment for your organisation.