We’re only human

We all know the scenario.

The most well-meaning employee clicks on a link and inadvertently injects ransomware into their corporate network. The fall out is severe; laptops are encrypted and customer data is compromised. The individual’s vigilance was momentarily down but the cost to the company is high. The only logical course of action for the individual is to consider dismissal. Or is it?

According to a recent survey[1], which received responses from over 5,800 businesses across 29 countries, employees lost their jobs in 31 per cent of cases following a data breach. But is this the right approach when employees are minimally trained, if at all, and are up against highly motivated and capable cyber threat actors?

Even the most experienced and qualified experts can be hoodwinked by a fake email. The Technical Director at the National Cyber Security Centre in the UK wrote a blog[2] in 2017 about how close he had been to falling for a spoof email.

We all click on links every day at work, often in a hurry. In HR and finance departments, opening attachments is part and parcel of the job. Anyone can make a mistake. We all have to accept that risk; vigilance is a finite action.

Nobody is a cyber-expert on day one. Everyone in the work place is likely to be conscious of security, but with such a sliding scale of behaviours and culture, things happen. In other words; nobody is infallible, errors will occur.

In business, it should be second nature for an organisation to address human cyber risk through awareness training (and testing) to change the security behaviour and culture of employees, to implement appropriate processes, and establish technical defences in depth. These are all key ingredients to deter and defeat a cyber incident.

The pressure on employees to be constantly vigilant is why so many cyber criminals focus their efforts on the human element. A sophisticated spear-phishing attack, based on detailed social engineering and conducted by a capable threat actor, substantially increases the risks facing board members, senior executives and employees alike. All employees, whatever level in the organisation, are often the first and last line of defence with only minimal preparation for the role.

No wonder people get things wrong.

If a company has failed to invest in its people, processes and technology with the appropriate balance of investment, it stands to reason the organisation shares some of the blame when it all goes wrong. An organisation’s security culture is set from the board level down. Changing the behaviour of people is the best insurance policy to avoid becoming a cyber security statistic.

As the NCSC Technical Director concludes in his blog post;

“Whatever that future is, it’s almost certain that at some point, someone in the NCSC will fall for a phishing attack … They won’t be ashamed and we won’t blame them. We’re only human after all.”

1) Kaspersky Labs ‘Global Corporate IT Security Risks’ 2018
2) https://www.ncsc.gov.uk/blog-post/serious-side-pranking