Last Updated on 8 December 2021 by Alastair Digby
The last twelve months have unlocked a Pandora’s Box of cybercrime, and malicious attackers have proven both ruthless and entrepreneurial. Organizations can no longer afford to neglect their cyber security strategy with sensitive data and their reputation on the line.
There are two types of attack surface, digital and physical. The physical refers to not just end-point devices, but people themselves. So, in this blog, we will discuss how people expand the attack surface and the main areas in which human error can lead to risk.
The Human Attack Surface – the weakest link in cyber security
Human error is one of the greatest threats businesses face today and is the most common cause of data breaches according to IBM. Yet, it is important to remember that anyone (even those most highly trained) can have lapses of judgment. Below are some outlines of key examples of human error in cyber security.
Inadequate cyber security training
End-users must be equipped with the right level of security awareness in order to operate safely. So, CISOs and other IT professionals must ensure that staff is conscious of what exactly the risks are, and specifically what’s at stake. With the right tools and mindset, employees should be able to identify and prevent security concerns. Invoking a security-first culture is critical in the current threat landscape, and should be easily reinforced with various cyber attacks frequently making front-page news.
The remote workforce is growing the attack surface
Working from home en masse has inevitably made organizations much more susceptible to risks associated with a growing attack surface. In fact, 64% of CISOs believe that remote working due to the ongoing Covid-19 pandemic has drastically increased their exposure to cyber threats.
Although it is appealing for some, this new norm comes with serious risk as more data is being stored, managed, and transferred digitally. Malicious attackers have proved relentless, and security leaders cant keep an eye on everyone, so threats have multiplied – including:
- Cyberattacks, like malware and phishing
- The use of personal devices for work purposes
- Devices being used on unprotected networks
- Some people may not be as meticulous with security while working in a more casual environment, and some firms themselves don’t enforce satisfactory cyber hygiene
However, there are ways around these issues. Check out our expert’s top tips for safe remote working to help secure your external perimeter during these unprecedented times.
Accidental or intentional misuse of devices, software, and data
Something an employee may consider harmless may in fact not be, and these actions can have serious repercussions for the wider organization. For example, sensitive data could be compromised if a personal device or a cloud service (like Google Drive) is used to store and manage company information. Or, downloading malware-infected attachments could also endanger systems. So, instilling a concrete understanding of cyber security best practices through informative employee training is key.
Weak passwords act as an open door for cybercriminals
You probably use passwords more than you might think – from accessing your device to opening emails to online banking, and of course much more. Attackers shouldn’t be underestimated and without a strong password, they could gain privileged access to your digital environment where they could locate private company information and even steal data. Did you know that 12345 is still the most popular password in the world?
Because data is being increasingly weaponized, it is important for companies to encourage all employees to remain vigilant for potential threats and promote sound password management. We recommend creating new unique logins for all accounts, and, where possible, using two-factor authentication.
Identifying cyber attacks
Sophisticated phishing attacks are becoming increasingly prevalent. Malicious attackers continue to adopt various methods, but there has been an international surge in the use of business email compromise (BEC) – a social engineering scam. In this type of phishing, attackers use email fraud to pose as a superior, for example, in order to deceive employees into unwittingly performing tasks from which the attacker will benefit – such as gaining access to private information or company funds.
With increasing reliance on email communication, BEC can easily jeopardize an organization, making it a significant threat across industries internationally. In fact, this type of attack is said to be the most financially damaging according to the FBI. So, it is crucial to be able to identify and mitigate this type of scam.
Separately, anyone can fall victim to a ransomware attack – in which attacks spread malicious software (via email for example). In this form of attack, the victims are informed that the attacker has encrypted files using a private key that only they have access to. Victims are subsequently warned that if they fail to pay the quoted sum of money by a certain time, the key required to access their data will be destroyed. We recommend that you never pay the ransom as it is effectively funding organized crime. And, of course, there is no guarantee that your stolen data will be recovered.
Security misconfigurations can have serious consequences
Misconfigurations in a network or software can create exploitable vulnerabilities that a malicious actor could use as an attack vector to enter a digital environment. Issues like not having a firewall, not using a VPN, and not disabling former employee accounts, can have serious consequences. Regularly patching misconfigurations will thus help close gaps in your security infrastructure and in turn reduce the chance of an attacker being able to take advantage of them.
The role of human error in cyber security breaches is substantial and well-documented. Although everyone makes mistakes, some can be detrimental to an organization’s longevity. Therefore, it is time to be proactive and enforce a security-first culture to prevent successful attacks. Reducing opportunities for attackers while equipping employees with the right knowledge will be pivotal for any organization’s security stature, particularly at a time like this. The sad reality is that it is no longer a question of if you will be targeted by a cyberattack, but when.
Find out how to minimize cyber risk and protect your organization with Informer and book a demo today.