The Biggest Risk for Security Breaches: Humans!
You can have all the tools in place: firewalls, security programs, routinely updated passwords and security team members. But that still might not be enough.
We advocate for increased employee security awareness training as well as maintaining the patches and updates required for programs to run at full steam. Cyber security threats aren’t going away – if anything they’re increasing in size and number. This creates added pressure for users to make sure they are performing in accordance to the cyber security training they’ve attended and protocols that their individual organization may have implemented. However, in doing so – this can oftentimes lead to cyber fatigue which is where users don’t follow proper security protocols day in and day out.
Data collected from Black Hat 2017 this past July in Las Vegas, Nevada found four main obstructions for humans to operate out of a healthy security posture:
- Remembering and changing passwords (35%)
- Never-ending software updates to protect against hacks (21%)
- Living under constant cyber security threats (15%)
- Information overload (29%)
Let’s take a look at each one closer to determine what that really means and what we can do to minimize the cyber fatigue that may occur.
Remembering and Changing Passwords
I think it’s safe to say that this is difficult for most anyone. There are so many requirements for each individual password you create with requirements such as capital letters, lowercase letters, numbers and symbols. Not to mention, you shouldn’t be using the same password for all your accounts – making it all the more complicated to create and remember— because once an adversary cracks into one of your accounts, you know they’ll try that same key to the rest of the kingdom.
So there are some options here. In your organization, do you have the means to using a single sign on (SSO) to access most all of your accounts. Not to mention, encrypting any information you’re sending as well as signing on with a VPN when working remotely to secure your data all the more.
When it comes to password strength, having a policy in place for mixing up numbers, letters, capitals and characters is a good start. However, you should also look into having a mandatory reset period so that passwords are being refreshed often enough that, even if they are compromised, it won’t be for long. Changing passwords often will lead to more people forgetting what they are and needing a quick reset. While that is a pain, it’s also part of the process. In order to keep the process of resets from further impacting your company, implement a self-service, multi-factor solution. This will allow them to change their passwords on their own with any mobile device but with the security that you need.
Constant Software Updates
Whenever you get a notification that one of your systems or applications needs to be updated to the latest version, there’s two voices that might enter your head. One being, “Not today – I just updated this and have a million things to do, I don’t have time to apply an update.” Another may be, “Is this real or is this a masked adversary trying to use this as a way in entering my environment.”
Both, however, wind up with the same action of putting off software updates – which in the long run only puts you more at risk because there will be gaps in your coverage. Again, this becomes easier with time. Being able to apply the updates at the end of the day is okay when closing down your work. Also, if there’s ever any question as to whether or not to apply the update – your IT team would much rather be asked the question, “Is this ok?” than you doing so when it’s not legitimate. It’s normal to become a little apprehensive and question everything – better safe than sorry!
Constant Cyber Security Threats
Though this one isn’t going away anytime soon – or ever for that matter – there are some things to do to make bearing that weight a bit easier. It starts with finding the appropriate means to handle the security of your organization. Is it a sole Pen Tester? Or is it scaling to a Red Team? This doesn’t remove the responsibility of each individual to abide by security protocols, but it should provide some relief. We recommend having at least one of those options, or even outsourcing your security. The main point here is to have someone continuously monitor your security and challenge your organization to see the weak spots and provide direction to how to improve.
Most likely, your security team has to conduct penetration tests each year to ensure they are compliant to their industry. Internally, or externally, make the hire to ensure someone has the security of your organization top of mind, always. This hire should constantly be aware of the current security posture you’re operating out of and can help formulate a plan to ensure security programs aren’t being forgotten about and are being executed on.
Information Overload
This is something we face in every aspect of life. We are so inundated with information about everything that it’s hard to filter through what’s important and what’s not. One way to minimize this issue in your organization is to send out tips or tricks for security best practices one by one. Yes, this might create more emails – but short emails with a quick tip and brevity may be easier to digest and be better received by your team.
Also, if there is a large breach, such as a mass-scale phishing scheme or social engineering ploy in the works (even outside your organization) send those as reminders to your organization to be on the lookout for anything out of the ordinary and to be extra careful.
It’s not always been this way - and change is hard. These are the times we are living in and we’re all learning how to adapt and handle this new environment. To continuously monitor your organization – and your people – continue to test them. Practice makes perfect. And in a world that is constantly evolving and the risks are getting bigger, it’s best to continue to challenge their security knowledge to further protect the data and people within your organization.