The Human Factor of Cyber Security
Tom Mullen, O2’s Head of Cyber Security, considers the human aspect of cyber security.
We read about cyber attacks disrupting businesses on an almost daily basis. And they are becoming more sophisticated. Today, cyber security breaches can often be attributed to the domain of organised crime, the white-collar criminal, or even alleged government sponsored activity. However, in my own experience, all too often it is the people within an organisation that unwittingly pose as great a security risk as the organised, sophisticated cyber criminals.
When we combine cloud computing, the increase in remote working and the use of personal devices at work, remote or mobile employees are just a click away from exposing their organisation to unauthorised access and the risk to both data and systems that results. The most common approach to security has been to focus on raising awareness of how attackers operate. By ensuring that everyone is trained to spot a phishing attempt or other cyber threat and is aware of the consequences of failing to do so, users become more vigilant.
But cyber-attacks are getting more frequent and a lot more sophisticated. According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, the total number of phishing attacks detected in the first quarter of 2018 was up 46% over the last quarter of 2017. With the average cost of a phishing attack for a mid-size company conservatively calculated at $US 1.6 million it’s clear that current approaches to training and raising awareness need to be rethought.
IT department heads often say that they struggle to get their employees to respond to notifications of a vulnerability or attack and take appropriate action in a timely or effective manner. With time and money at risk, I think there are two reasons behind this:
1.The blame game
Many organisations take a stance in reprimanding users who “own up” to a security breach. If a user is caught out twice, disciplinary procedures and the possibility of dismissal often follow.
Many organisations believe that if users are blamed or punished for falling prey to a cyber incident they will somehow be able to spot them next time and be frightened into extra vigilance. Yet research from the National Cyber Security Centre (NCSC), a part of Government Communications Headquarters(GCHQ), shows this doesn’t reflect reality. With phishing in particular, attacks are becoming more convincing in their language and representation of real messages, hiding in what look like real communications from trusted brands or even colleagues.
Blame and punishment merely undermine the relationship between users and the IT team responsible for security and reduce the likelihood that your users will come to you with their concerns when something “doesn’t feel right”. The way forward is not to condemn them for being careless but to engage them in meaningful dialogue and to develop a safe and blame-free culture. It’s important to remember that the people within the organisation are not cyber security experts. They are sales, marketing, finance and HR specialists just trying to do the jobs they’ve been hired to do.
2.Training by entrapment
Phishing simulations are popular because they produce a measurable gauge of how susceptible an individual user is to the deception techniques used for most cyber attacks. However, the simulations rarely keep pace with the sophistication of genuine cyber threats, and they only serve to undermine trust and make a user feel foolish.
Certainly, training users to identify a cyber threat is important. However, expecting your users to become security experts and avoid every threat is unrealistic, simulated or otherwise. Instead, your aim should be to help users spot the common features of deception. For phishing messages, this includes urgency or authority cues that pressure the user to act. You must also establish a culture where users feel able to ask for guidance when something feels suspicious or unusual.
So if entrapment, along with naming and shaming doesn’t work, what steps can we take instead? There are five things I’ve found work well by taking in to account the actual people you’re trying to protect.
1.Change the way you train staff. Training is clearly essential. It only takes one user reporting something suspicious to enable the organisation to apply appropriate defences or take appropriate actions to stop an attack spreading. However, training needs to be more creative and inclusive. For example, instead of catching users out with phishing simulations, why not get users to craft a persuasive and compelling phishing email of their own as part of the security awareness training? Or have users map out what data they have access to that is of value, and what safety checks or processes they feel they could put in place to protect themselves.
2.Find better ways to communicate. I was talking with an organisation recently whose IT team discovered that more than half the emails they sent informing staff about specific cyber threats remained unopened for a week or more. And that isn’t uncommon – email can be a really inefficient channel for this type of communication. Look for communication channels that can alert users dynamically and cut through the noise the average user typically has to deal with.
At O2, we use Workplace, a collaboration and communication tool set that enables us to share security awareness messages quickly, and get real time feedback via likes, comments and reactions. Using this and other apps at our disposal, I can be confident that if we send out a security threat notice companywide, more than 95% of users will have seen it within three minutes via notifications on PC’s and mobile devices.
3.Collaborate and co-create security policies.
Security policies developed in isolation are often misaligned with real, shop floor working practices. We need to recognise that people don’t choose to bypass security measures for the fun of it. Like everyone else, they simply want to focus on the job they’ve been hired to do.
By making collaboration with people the norm, organisations can identify those misalignments more easily and develop policies that take account of the real ways people work. And who knows? Perhaps their workaround is better than the procedure your policy currently stipulates, or might prompt a better solution, or even just a better way to communicate the detail? You must ensure that security doesn’t get in the way of the people in your organisation doing their jobs well.
4.Be realistic about passwords.
When it comes to password security, it is tempting to see your people as the weakest link in your organisation, and question why they don’t simply do what they are told. However it is unrealistic to expect your people to remember increasingly complicated passwords, to change them at regular intervals, or never to be able to re-use old ones. In fact, research by University College London demonstrated that users are likely to write down complicated passwords, undermining their very strength. Just consider the TV5Monde television interview discussing how the TV5Monde network was hacked, while the reporter was filmed in front of a desk with usernames and passwords covering it.
The NCSC guidelines regarding passwords are straightforward:
- A password comprising a string of three well-chosen random words can be quite memorable but not easy to guess. It provides a good compromise between protection and usability.
- Changing passwords on a regular basis is not essential. Passwords really only need to be changed when you suspect a compromise of the login credentials.
- Use a separate, strong password for your email address. It’s likely that any requested password reset links will be sent to your email address, so its security should be placed above all others.
5.Reward rather than blame. I see too many organisations with a fractious, ‘them and us’ relationship between the IT team and their colleagues. Yet working together, increasing engagement, will only strengthen security. Where formerly we blamed users for falling prey to a threat or scam, it is time to foster collaboration and reward vigilance. Their knowledge and experience of working practices will be invaluable in identifying weaknesses and introducing policies and procedures that enable rather than hinder work.
What are your experiences of the human aspects of cyber security? We’d love to hear from you. At O2, we can help you with systems designed with security from the outset, from CAS(T) accredited networks to O2 Gateway, our flexible and secure platform combining fixed, wi-fi and mobile networks.
Get in touch to talk about how we can help keep your people and systems secure.