Article

Tackling the honest and dishonest cybersecurity mistakes

‘High reliability organisations’ understand the importance of distinguishing between intentional and unintentional errors. Your organisation can do the same for the cyberthreats they face.

By Shirley Siluk

Good cybersecurity requires more than protecting against external hackers and other threat actors. It also means having the right defences against insider threats.

One in every four IT breaches is caused not by an outsider but by an internal actor, according to Verizon’s 2017 Data Breach Investigations Report. And not all of those internal threats are from ‘bad guys’.

The Information Security Forum identifies three kinds of insider cybersecurity risks: malicious, negligent and accidental. While malicious insiders are clearly ‘bad guys’, the other two types don’t mean to do harm. But the damage they cause and the bottom-line costs can be just as high.

So how can you protect against negligence and accidents by ‘good guys’? Even if you take all the usual smart security precautions – employee education, regular training and up-to-date IT controls – you should look out for the following common causes of such mistakes:

Bad design

While it wasn’t a data breach, hundreds of thousands of people in Hawaii were sent into a panic in January 2018 when emergency services sent out a mistaken alert about an incoming ballistic missile. Much of the blame fell on an employee, but one look at the alert interface for emergency workers shows the system’s design was also a contributing factor.

Poor design can confuse or frustrate users to the point that they don’t – or can’t – follow the right security protocols and precautions. And this increases cybersecurity risks.

“[W]e ought to design systems that don’t make it so easy for people to make mistakes in weird technical ways that are hard to comprehend,” Adam Shostack, author of Threat Modeling: Designing for Security, said in a 2015 interview.

Carelessness

Unintentional insider threats are often due to the simple fact that people prefer things to be fast and easy over time-consuming and cumbersome. As a result, they’ll often skipeven basic security steps in the interest of convenience.

This tendency encompasses a wide range of sins: everything from careless handling of data on portable storage devices to thoughtlessly opening an email message without first checking for warning signs of phishing.

The solution to such mistakes? As much as possible, don’t give users the option of overriding essential security measures.

Enable two- or multi-factor authentication for applications, with no bypasses allowed. Block concurrent logins to prevent the possibility of password sharing. Require timeouts and login screens. Don’t let users avoid or disable organisational security controls. And have clear, written policies in place so everyone knows how to handle sensitive data, encrypt information when required and maintain a chain of custody for important materials and devices.

Overconfidence

While it’s essential that everyone has the proper skills and security tools for the jobs they do, it’s also important to discourage overconfidence. Too often, employees – even those at the highest levels of an organisation – have a tendency to view safeguarding data and IT systems as something that can be done once and requires no further work.

In a 2017 white paper, the analyst group IDC called it ‘the overconfidence trap’. The paper suggested that security is something many C-level executives “fail to give appropriate attention to, believing they can delegate to their IT organisations, or that they can ‘set it and forget it’.”

IDC also noted it’s “no longer if or when you will be breached, but rather how often and how severe the breaches will be”. Despite this, many organisations put too much trust in the security measures they have in place, believing they make them less vulnerable to future breaches and attacks.

Step one in combatting the problem of overconfidence is simply recognising the fact that, yes, it can happen to you.

In a 2017 report on cyber risks for consumer businesses, Deloitte said organisations need to be vigilant about monitoring and always prepared to respond to an incident or breach.

So-called ‘war game’ exercises – in which security staff respond to simulated cyberattack scenarios – and regular employee education help with that. So too does simply remembering that data, as much as any other company asset, has strategic value and needs protecting.