Human behavior can be your biggest cybersecurity risk
Changes in user behavior are increasingly blurring the lines between personal and business. Trends like Bring Your Own Device (BYOD) and flexible working often mean that people are using work devices outside of the office. In fact, recent research has shown that half of UK workers allow friends and family members to access their work devices with no restrictions, creating a very real cybersecurity risk for businesses.
The combination of end user driven informalization and lack of cybersecurity knowledge, such as only a third of the UK workforce using different passwords for different accounts, has created the perfect environment for criminals to gain access to sensitive data and assets. By taking a people-centric approach to cybersecurity – combining technical, process, and people-based controls to minimize the human risk – businesses can engage with modern efficiency trends without leaving the door open for cyber-attacks.
For many workers, individual targets and finding the path of least resistance is the key driver when approaching tasks. While a business’ cybersecurity policy might be completely watertight, the chances that this is followed by every member of staff at all times is slim.
Naturally, cybercriminals also follow the path of least resistance. For example, why would a hacker devote the time to developing a program or algorithm that attacks a robust and impenetrable cyber defense when they could easily obtain login credentials from an unwitting end user through a simple phishing attack? Cybercriminals exploit the human vulnerability within a business, meaning that the actions of employees can prove to be the greatest cybersecurity risk to a business if left unchecked.
The act of making remote access to sensitive data simple and seamless for end users makes it that much easier for third parties to find routes into your business’s data. In fact, despite so many cyber-attacks resulting from access given to hackers via phishing, nearly two thirds of UK workers believe that up-to-date anti-virus software is all they need to stay safe from any cyberattack. And with the increasing level of comfortability of treating employer-issued devices as their own, individuals can introduce even more unnecessary risks.
While it’s easy to point the finger at shifting end user behaviors, ultimately the lack of cybersecurity education and vigilance across the business are creating a risky cyber environment for organizations. Despite the huge level of media attention on the WannaCry attack, which hit the NHS and many UK organizations, more than half of UK workers don’t know what ransomware is. If end users don’t know the risks and don’t follow your policies, it’s highly likely they can fall foul to cunning threats from cyber criminals.
Many organizations’ security and compliance tools focus on safeguarding the perimeter, helping to manage endpoints and patch system vulnerabilities. But they struggle to protect against the human vulnerability. To stop today’s advanced attacks, businesses need to focus on protecting end users by adopting a people-centric cybersecurity strategy. These strategies are a realistic approach to cybersecurity, using technology and training to protect the people in organizations, not just the technology they use.
For example, attackers are relentless when pursuing their victims. Personal email accounts can offer another way in to your business, with employees routinely checking these accounts using work-issued devices, introducing a significant security risk. From a technology standpoint however, all businesses should be separating web content for their users, providing safe and anonymous access to webmail and internet browsing while protecting the endpoint and the corporate network.
Ultimately, businesses cannot expect cybersecurity to be an easy fix. Combining software-based security with employee education and vigilance holistically across the business is essential to minimizing human risks. Taking advantage of the latest trends shouldn’t come at the expense of your cybersecurity; however, with a considered and complete approach to security, you can get the best of both worlds.