Securing the human operating system: How to stop people being the weakest link in enterprise security

Protect your systems all you like but the biggest threat to security is still the worker sitting at a desk.
Written by Danny Palmer, Senior Writer

Allowing your employees to make mistakes in a safe sandbox environment could prevent the real thing

Image: iStock

A company can spend all the funds it wants on the latest cybersecurity technology, like firewalls, threat detection, artificial intelligence, and machine learning tools, but there is one security risk that can't blocked from entering the company networks: the employee.

Whether they're being coerced into doing do it or not, an employee could actively be working with hackers and cybercriminals to let them inside in your network. But in many cases it's a lax or ill-informed attitude to cybersecurity by staff which is potentially putting organisations at risk, with employees falling victim to phishing one of the major reasons that data breaches occur.

"The human operating system is a challenge in itself, we know human beings are the weakest link" says Philipp Amann, head of strategy at Europol's European Cybercrime Centre (EC3).

And the problem is only going to become trickier to solve because people are becoming more connected than ever, offering hackers additional opportunities to find the one weakness that will allow them access.

The wealth of information available on social media accounts and the wider web which can be used to personalise an attack against a specific individual within a target organisation only makes it easier for hackers to find one weak link.

So how do organisations go about ensuring that employees know how to identify threats? Education is the key, but different staff will need different training in order to combat the specific threats they could face in their department.

"You need the right mediums for the right people. You can't have a one-size-fits-all training programme; if you're training your developers, you're going to need different content to what you're using to train your sales people, finance or HR people," says Rik Ferguson, VP of security research at Trend Micro, who stresses the importance of making cybersecurity training interesting, something many companies aren't doing.

"Make it relevant, make it contextual, make it interactive; because there's nothing worse with being presented with an online slide deck you have to click through to read and do the quiz at the end -- but they're so common," he says.

For example, Trend Micro has developed an interactive video experience which allows its employees to make decisions on a series of events then find out the consequences of those at the end. Ferguson describes it as "sandboxing people" -- letting them learn from mistakes in an environment where there aren't real consequences.

"Let them mess up in a safe environment because then they realise they can mess up, nobody's perfect," he says. "Dare to fail, learn from your mistakes, analyse and improve."

This philosophy of prevention and awareness is supported by Europol which works with organisations in order to combat hackers and cybercrime, particularly those using the most commonly known attack vectors and vulnerabilities.

"It's an area we believe that working by industry and other partners focusing on prevention and awareness, we can really increase the cybersecurity baseline, thereby significantly reducing high volume threats," says Amann.

One of the methods in which to do this is to tell things like they really are, explaining how the most common threats to cybersecurity aren't sophisticated and can easily be protected against.

"It's not helpful to call everything advanced and sophisticated because it distracts you from the majority of cases -- which I wouldn't classify as advanced. Is an SQL injection sophisticated? I don't think so," Amann explains, citing how developing awareness of these potential threats and the basic digital hygiene required to fight against them shouldn't be a momentous challenge.

"A big part is understanding what can we do with prevention awareness and increase the cybersecurity baseline to ensure people are have the basic defence mechanisms in place," Amann says.

Robert Carolina, executive director of the Institute for Cyber Security Innovation at Royal Holloway University of London, compares the IT security situation to the early history of the automobile.

"When automobiles first became widely available we didn't have that intuitive, baked in from an early age, understanding of the basic physics of driving. When you try to stop a car, it takes time and it takes space and it's possible to have a blind spot and that's what mirrors are for. All those kinds of lessons had to come along over a process of learning and engineering," he says.

For Carolina, cybersecurity needs to follow the same path, but it isn't close to having a standard model yet.

"There's still a lot of work to be done on managing the user experience in such a way that security is folded into it; there's still work to be done on that as well as influencing user behaviour but one will lead to the other," he says.

One way to fix this is by using what Carolina calls 'the mother-in-law test', something he uses when he asks his students to consider "the reasonable person who is an intelligent person, but not necessarily skilled in security" when thinking about cybersecurity.

"Why should my mother-in-law need to be terribly aware of all the cybersecurity risks out there in the world? Why is it that a change in her software environment should produce a whole another series of factors she needs to take into consideration? Isn't there a more obvious way to help her navigate the internet safety?" he says.

While the individual does always need to take some responsibility, it's arguably the responsibility of employer organisations and security companies to ensure that ultimately people are no longer the weakest link. But that isn't going to be achieved in one fell swoop, says Carolina. "The answer is a lot of small steps which nonetheless have an impact," he adds.

In order this goal to be achieved, a lot of different organisations and authorities are going to need to come together to ensure that people are educated about cyber threats and that this is done in an engaging, useful way.

"Security isn't just about security products, security people and security departments; it's about interaction. Effective security, when it boils down to the nub of it all it's about interaction with other people and other processes and it's about identifying those areas of weakness," says Trend Micro's Ferguson.


Editorial standards