- Security TWENTY
- Women in Security Awards
Staff should act as substantial barrier to cyber criminal’s attempts to get to data rather than offering an open door, says AJ Thompson, pictured, CCO of the IT firm Northdoor plc.
Cyber criminals targeting staff within organisations as the weakest link is nothing new. For years, users have been considered the chink in an organisation’s cyber armour and it’s easy to understand why. With increasingly sophisticated tactics, cyber criminals are able to target users by sending convincing emails with malicious links embedded within them. One click on the link and suddenly the user has a device full of malware. Sending a colleague a user-name and password through email can be easily intercepted and staff working out of the office leaving their laptop open or connecting to insecure WiFi, can all result in cyber criminals getting access to devices.
There is also a misconception from users that their online accounts hold no value for cyber criminals, meaning that they do not necessarily place the same emphasis on protective measures as they would do with a ‘work account’. However, with the rapid increase in home or hybrid working, more are using their personal devices for work purposes, meaning that if their own laptop/tablet has been infected, suddenly, their organisation’s data and infrastructure is at risk.
As a result of all of this, companies are under more pressure than ever to increase security levels, remind their employees of the risks and what they should be doing to better manage those risks.
Security alert fatigue
The nature of many of the security solutions is that they can become so regular and generic that they are eventually ignored by users. An alert warning a user that they are about to reply to an external sender quickly becomes irritating and consequently ignored. We become blind to these alerts in a phenomenon called ‘security fatigue’.
This is a particularly dangerous situation, and one that cyber criminals are increasingly looking to exploit. Essentially staff members are reaching the limit of how much information they can process, leaving them in a position where they are unable to make a rational decision.
This means that employees can behave impulsively as a result, making decisions driven by immediate motivators, avoiding unnecessary decisions and instead, selecting the easiest option. This results in people using the same password or PIN for every account, disabling security alerts, abandoning activities when required to go through additional security measures.
These activities make the life a lot easier for any cyber-criminal looking for the route of least resistance into an organisation’s data or infrastructure. Companies have attempted to bolster their security by scheduling security awareness training for employees. However, one off sessions or yearly reminders simply do not do the job.
For one, employees will forget much of a session unless the lessons are repeated regularly. Secondly, cyber-criminals are constantly changing and adapting the methods they use to attempt to gain access. With a changing threat landscape, it is easy to see how a one-off session quickly becomes irrelevant.
Even though the consequences of a security breach can be monumental for an organisation, the responsibility lies with a small group of administrators and security teams to try and prevent these issues – and to step up and fix things when they inevitably go wrong. Training is important as are the traditional cyber defences most companies have in place . They can both be effective against weak security threats, however, they often fail to stop the more sophisticated threats, such as social engineering attacks from getting through. For these more complex threats a different, more thorough solution is required.
Engaging workforces at the point of risk reduces security fatigue
To combat security fatigue and to ensure users are only alerted at the point of risk, some companies are turning to software that provides real-time teachable moment. This empowers users to take charge of their own security behaviours, in turn reducing human activated risks on email.
This proves to be much more effective than generic training sessions that employees will forget within a couple of days or bombarding them continuously with security notifications that they eventually ignore.