How seriously do your employees take security?

Human nature is a notoriously weak link when it comes to security. This article explores the surprising things employees will or won’t do when it comes to corporate security, either because of malicious intent or a lack of knowledge.

By Shirley Siluk

Thu 20 Apr 2017 @ 15:47

Despite all the latest advances aimed at avoiding cybersecurity breaches and incidents, the biggest vulnerabilities often lie not with machines but with people.

For evidence of this, look no further than today’s news, which is peppered with stories of politically motivated spear phishing, misinformation campaigns and other cyber mischief. Last year’s US presidential election, for example, saw social engineering that tricked a Democratic official into giving hackers access to his emails. Slow responses to clear security warning signs also proved costly for Yahoo, which saw hackers in recent years gain access to account information for as many as one billion users.

A recent report from the Institute of Directors (IoD) stated: “Any cybersecurity strategy should include awareness training to be effective.”

The 'Cybersecurity: Underpinning the digital economy' report added: “The biggest risk as technology becomes more sophisticated is human failure.”

To protect themselves, organisations need to become better at educating their workforces about potential cyber risks, the IoD report said. For instance, an institute survey of nearly 1,000 members conducted in December 2015 found fewer than half (49 per cent) provided any cyber awareness training for staff members.

Low-tech threats for a high-tech world

“For the foreseeable future, low-tech social engineering hacking will continue to be a dominant cyber risk,” LeClairRyan attorney David Seide wrote recently. “If anything, it is likely to proliferate across growing and emerging technology platforms – mobile and other internet-enabled devices (Internet of Things) and social media.”

Seide, who specialises in compliance, internal investigations and corporate criminal matters, said good cyber hygiene requires businesses to familiarise themselves with common social engineering techniques and provide ongoing training in how to defend against hacking threats. Vigilance and scepticism are also important.

“Given that social engineering techniques regularly change and adjust to changing circumstances, do not automatically assume that trusted sources that make requests to change passwords, download photos to share files are legitimate,” Seide warned.

Common security shortcomings also increase the risks of insider fraud.

In its 2016 'Global Fraud Study', the Association of Certified Fraud Examiners identified some of the top internal control weaknesses that paved the way for insider fraud. They included a lack of internal controls (identified by 29.3 per cent of respondents), an override of existing internal controls (20.3 per cent) and a lack of management review (19.4 per cent).

Even staff leave policies can have an impact on security lapses, according to the publication BankInfoSecurity.

“Because employees in positions of power can and often do override controls when they perpetrate fraud, many organisations require all employees to take annual vacations so their work can be reviewed,” the publication advised.

Once bitten?

Unfortunately, even past encounters with hacking or fraud don’t necessarily prepare people to be better defended against future breaches. A report by Juniper Research last autumn found that 86 per cent of UK companies it surveyed believed they were taking adequate precautions to reduce cybersecurity risks. But at the same time a full half of those responding acknowledged having experienced a data breach.

Juniper identified a number of security shortcomings in its study. Only 52 per cent of those surveyed had secure practice guidelines in place, and just 47 per cent said they provide briefings on such practices. Monitoring and testing efforts also came up short, with only 31 per cent keeping an eye out for phishing attempts via email and just 27 per cent saying they conducted penetration tests.

On the other hand, if workplace security measures are too onerous or time-consuming, people will often find ways to work around them.

“In a vast majority of cases, people bend or break the rules to get their work done,” the UK’s National Cyber Security Centre (NCSC) noted in a video produced for the CyberUK 2017 event held in March.

Rather than blaming employees for introducing unnecessary risks, organisations should launch conversations and collaborative efforts to understand why workers don’t always follow standard security precautions, the NCSC said.

“Their workarounds and fixes often point out problems and quick interim solutions,” it noted.

For example, if employees are still writing their passwords on paper, it might be because they have to remember too many to do their jobs. A business can eliminate this problem by adopting more advanced, non-password-based security measures, the NCSC advised. At the very least, it could get workers to start using an acceptable password manager instead, which is still a significant improvement over handwritten notes.

When it comes to staying safe in today’s IT landscape, there’s no such thing as “one and done”, LeClairRyan's Seide noted.

“Cybersecurity is an ongoing process that changes as fast as technology changes,” he wrote. “And technology changes fast.”