Figures vary but suggest that many breaches of cyber security (as many as 95% according to some studies) are due to human error.
Cyber criminals are increasingly using cyber-attacks which target people and associated vulnerabilities. Whilst also targeting situations which may create additional risk such as remote or home working.
How do cyber criminals target people within a business?
Cyber-attacks target vulnerabilities. Whether these be linked to your security or IT systems, or your people.
When it comes to cyber security, Usecure define human error as ‘unintentional actions or lack of action’. Very rarely does an employee set out to breach cyber security. Instead cyber criminals will typically look to exploit human behaviour and goodwill.
Many cyber-attacks make use of social engineering techniques as a way to target businesses through their people.
Social engineering in terms of IT security is defined as ‘the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.’
Attacks of this nature often mean that the employee doesn’t realise something is wrong until it is too late.
Types of social engineering attack include:
- Phishing – typically an email, phishing attacks take many forms but typically aim to obtain information or spread malware
- Baiting – using incentives (e.g. giveaways) to entice people to compromise their security
- SMS phishing – the use of text messages to gain information/deliver malware
- Diversion theft – stealing confidential information by getting users to send information to the wrong recipient
- Scareware – typically a pop up that states a user security is out of date/they have malicious software on their PC. Which scares the user into visiting a malicious website/buying non-existent products
- Tailgating – deceptively gaining access to a restricted/secure area e.g. by pretending to have forgotten a security pass for example
What additional security risks are linked to working from home?
We have blogged recently about the fact that cyber criminals seem to be looking to take advantage of the Coronavirus pandemic. With part of this linked to the fact that more people are working from home than before.
Working from home presents additional cyber security risks for a variety of reasons. Being outside of normal office working conditions may make people more vulnerable to the types of social engineering attacks which we mentioned above.
And this is further exacerbated in times like now where people are forced to work from home due to emergency or at very short notice.
In ‘normal’ times, businesses would have time to plan out technology needs of remote workers and ensure that they comply with office-based security standards.
Factors which can impact home working security include:
Technology – If remote workers have to rely on home computers or personal devices, then these may not be as secure as laptops and devices your organisation may supply. Refer to this guide if your business does permit the use of personal devices for business related work.
Use of mobile devices – it is thought individuals using mobile devices can be more distracted and therefore may be more susceptible to cyber-attacks. Limited information available on a mobile device screen may also limit the ability to verify the validity of requests/ credentials.
Use of home Wi-fi networks – which may be easier to hack/not as secure as those used in an office-based environment.
Lost or stolen devices – the NCSC state that devices are more likely to be lost, stolen or damaged when outside the office. So, make sure devices you supply are set up to encrypt data at rest which will protect data if the equipment is lost or stolen.
Use of devices or software not approved by your business – the use of software not approved by your business can cause issues and create security vulnerabilities. For example, using personal email addresses to send work related emails.
What steps can businesses take to reduce the risk of human error in cyber breaches?
- Review user privileges – review the data that your employees have access to and ensure that they can only access what they need to. Don’t give access to highly confidential information to all your employees for example. Only the ones who absolutely need to have access. Then if an account is compromised, the impact will be no more severe than necessary.
- Encourage good password management – password management is a critical element of cyber security. Encourage the use of strong passwords, do not allow employees to share passwords. And where possible make use of two factor authentication for added security.
- Security focused culture – develop a culture within your business which is focused on cyber security. Cyber security is as much of a risk to small and medium sized businesses as it is to large corporations. Ensure that staff know to challenge things which do not seem right and that they will not be penalised for doing so. Having an open culture where people are free to question, and challenge will be beneficial to cyber security.
- Excel at training – a lack of awareness amongst employees about what a possible cyber-attack may look like can be one of your biggest threats. If employees aren’t aware of the type of thing they may need to look out for they are less able to defend against it. So, make ongoing training a key element of your cyber security practices. Cyber threats change all the time so your training will need to as well to keep up with the latest techniques being used.
For more information on how to maximise working from home security, read our 10 steps to working from home security guide here.
Cyber insurance can be of significant benefit to businesses of all sizes and is a cover that we at Anthony Jones would encourage businesses of all sizes to consider. Particularly if you have any reliance on systems and data. It can cover areas such as cyber business interruption, hacker damage and crisis containment. Talk to us today if you would like any more information about this valuable cover.