The current narrative around cybersecurity is about businesses
needing to leverage emerging technologies such as artificial
intelligence (AI) and machine learning. A dystopian future of AI vs. AI
is our destiny as machines fight it out on the cyber warfare
battlefield.
But the reality is that 90% of all cybersecurity breaches are currently the result of human error.
Before we get too carried away with the 'rise of the machines', most businesses should be focusing on the human side of cybersecurity. It's not about pointing the finger of blame at careless employees or accusing them of being negligent. For the most part, the average employee is uninformed and unaware of the risks involved every time they click on a link or attachment.
The rise of social engineering enables attackers to take advantage of the weaknesses in human behavior. For example, anyone can see on LinkedIn or a conference website that a CEO is out of the country and speaking at an event. Hackers can quickly locate the email domain of a company from its website and target the finance team with an urgent invoice request while the CEO is away.
Another common trick is dropping infected USB drives in a staff car park. Someone will always pick up the drive and plug it into their computer and unwittingly take down the entire corporate network. This simple tactic relies on exploiting human curiosity and has even been responsible for closing an entire hospital.
If a hacker knows you've been to an Ariana Grande concert on Twitter, it's also easy to send a message saying, "did you see Ariana Grande's new video just dropped today?" This personalised approach will ensure a higher success rate when attempting to direct users to phishing pages or malware exploits.
Equally, the ubiquitous Facebook quizzes that appear harmless at first glance are often designed to extract personal information such as your mother's maiden name. Buzzfeed's "What City Should You Live In?" generated over 20 million unique visitors. It is relatively easy for an attacker to replicate quizzes like this and redesign them to extract personally identifiable information without users even realising it.
Once upon a time, an IT department would provide every employee with a Blackberry and a tightly controlled desktop PC or laptop. The BYOD movement changed all that. The guardians of corporate networks were forced to accept that stopping a deluge of new devices such as iPads from hitting the network was a futile exercise. Wireless connectivity quickly went on to dominate the workplace.
Here in 2019, enterprises allow almost any device onto their networks and also increase the risk of picking up malware through its users' browsing habits. But this was just an early indicator of the significant challenges on the road ahead.
Over the next few years, 5G is due to hit the UK and upon launch we can expect speeds of between 1Gbps and 10Gbps. But there are already reports in China of speeds reaching an incredible 20G per second. The current number of 8.4 billion IoT connected devices is expected to explode at a phenomenal rate. A new age of smart devices and sensors will begin to make the reality of smart offices and entire cities a reality.
The rise of personal smartphones, tablets, and smartwatches was generally used in plain sight. If you thought BYOD was a challenge, you better buckle up for an even faster ride. IoT device performance management and enabling businesses to leverage value from technology is just the beginning. Once again, there will be a significant education piece around vulnerability risks.
While maintaining essential cyber security features such as firewalls, access controls, virus protection, and system monitoring tools, many businesses are failing to engage with their employees. A compulsory online cybersecurity awareness course where users continuously click next every two years will not help employees retain and apply good cyber practices to protect a company.
Security awareness training needs to be much more than a box-ticking exercise. Employees need to be made aware of potential situations they will encounter when working with emails browsing the web on their lunch break with real-life examples. The role of education should not just be to raise awareness but also motivate employees to change their behavior online too.
There is a good reason why the success of many businesses has been attributed to people, process, and technology. However, even the most sophisticated technology solutions and processes are incredibly vulnerable to human error. People must always come first, and yes, that includes contractors too.
As employees, many of us are expected to be "always online and available." We drift seamlessly between remote working and spending time in the office. Unsurprisingly, 40% of smartphone users admit that their devices are used for both personal and business activities. There is an undeniable need for security awareness training programs that also encourage users to be more guarded when online.
Every employee needs to play an essential role in your cybersecurity strategy. By closing the human vulnerability gaps within your organisation, you have a much better chance of keeping the bad guys away from your corporate network and data.
We have come a long way from only having a corporate laptop and Blackberry handset to manage our workload. As our digital world continues to evolve and adapt in an age of exponential change, employers need to think differently. Compliance learning isn't just a box-ticking exercise. It should be a communication tool that empowers your employees to provide a much-needed front-line defense against cyber threats.
