Peter Oggel, Chief Technology Officer, Irdeto
Cybersecurity is a hot boardroom topic at most companies, regardless of industry. In this context, the prime risks are the responsibility and role of employees in ensuring data and information security. That’s why, when discussing cybersecurity, we come across terms like human factor, human error, and insider threat. Nothing is sweeping in saying that one employee can jeopardize an entire company.
Human error still causes the overwhelming majority of cybersecurity breaches
Researchers from Stanford University found that approximately 88% of all data breaches are caused by an employee mistake. That is, by unprepared employees. It’s a high percentage. We repeatedly say that companies need to invest significantly in advanced protection tools and security awareness, including a Zero Trust approach.
Verizon research data reinforces that the ‘human factor’ points out that decision-makers are companies’ main targets of attacks. According to another cybersecurity research by Verizon, C-level executives are nine times more likely to be the target of breaches. In practice, the effects of an attack can cause even more significant damage.
The human element in cybersecurity is less about deliberate crimes committed by employees than innocent mistakes made by people who fall prey to seemingly legitimate emails with malicious links. The same people will fail to apply basic security measures such as limiting permissions on cloud databases.
Humans have been behind some of the most significant data cybersecurity breaches in recent memory.
In March 2020, nation-state hackers believed to be from Russia compromised a DLL file linked to a software update for the Orion platform by SolarWinds. The supply chain attack impacted up to 18,000 SolarWinds customers, including six U.S Government departments. The attack wasn’t discovered until December 2020. This incident was the impetus for Joe Biden’s Cybersecurity Executive Order that now enforces all organizations to strengthen their supply chain security efforts.
Toyota Boshoku Corporation
A European subsidiary of the Toyota Group, Toyota Boshoku Corporation, suffered a massive BEC attack in August 2019 that cost the company $37.3 million. On 14th August 2019, the auto parts supplier was tricked into making a large fund transfer into the hackers’ bank account. The threat actors posed as one of the subsidiary’s business partners and sent carefully crafted emails to accounting and finance department members. These emails requested that the funds be sent into a specific bank account, which the hackers controlled. Soon after the transfer was made, the company’s security experts realized they had been duped. However, by then, it was too late to stop the transfer.
Known for being one of Silicon Valley’s oldest and most notable venture capital firms, Sequoia Capital was hacked in February 2021. This hack exposed some of its investors’ personal and financial information to a third party. The cyber attack succeeded when one of Sequoia’s employees fell victim to a phishing attack. Focused on energy, enterprise, financial, healthcare, mobile, and internet start-ups, this VC firm has more than 1100 corporate clients and more than 200 international clients.
With over 600 million users, Sina Weibo is one of China’s largest social media platforms. In March 2020, the company announced that an attacker obtained part of its database, impacting 538 million Weibo users and their details, including real names, site usernames, gender, location, and phone numbers. The attacker is reported to have sold the database on the dark web for $250.
Skill-based errors and decision-based errors
While the opportunities for human error are nearly endless, they can be categorized into two different types: skill-based errors and decision-based errors. The difference between the two essentially boils down to whether or not the person had the necessary knowledge to perform the right action.
The four hacking methods below are the most commonly used to access protected data.
- Social engineering
Social engineering is a method of attack in which a malicious person uses psychological manipulation to induce specific actions. Unlike other hacking attacks, this method does not use engineered systems or state-of-the-art software. The success of this technique is based on the relationship between the hacker and the victim, who tries to gain their trust. Usually, the criminal uses false identification, impersonating institutions, famous brands, or even people trusted by the victim to convince him to provide his personal information, download applications with viruses, or open malicious links.
- Phishing, Spear-Phishing, Vishing, and Smishing
Phishing and spear-phishing are types of scams. They happen when a criminal impersonates a government agency, person, or company intending to deceive someone. In a typical spear-phishing attack, a specially crafted email is sent to specific individuals from a target organization. Through clever and relevant social engineering tactics, the recipients are convinced to download a malicious file attachment or click a link to a malware- or an exploit-laden site, starting a compromise. This happens in all industries; it happened to us at Irdeto as well when a scammer impersonated our CEO and tried to connect with our employees. Thanks to our vigilant colleagues, no damage was done.
Smishing and vishing are other types of fraud that use SMS (smishing) and voice (vishing) to trick people into giving up money or personal information.
- Domain spoofing
Spoofing consists of creating fake email and website addresses to deceive people. Spoofing is widely used in phishing scams, spear phishing, and spam campaigns like social engineering. In practice, domain spoofing is used by hackers in different ways. This could be, for example, by adding a letter to an email address or creating a fake website with a very similar address to the legitimate one. In the rush of everyday life, these little ones go unnoticed by many people.
- BEC (Business Email Commitment)
Business Email Compromise, or BEC, is spear phishing and one of the top threats to businesses. BEC occurs when an attacker compromises a corporate email account and impersonates the email owner to deceive others. According to a 2020 Internet Crime Report by the FBI, BEC attacks account for losses that are 64 times worse than ransomware.
Zero Trust Framework
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. For everything a user wants to do or communicate, they need first to establish a trust level. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats.
Applying a Zero Trust framework can also help defenders gain insights across their security business. They can enforce security policies consistently and detect and respond to threats faster and precisely.
A Zero Trust framework should also include a behavior-based approach to cybersecurity. It can involve monitoring a network and developing a baseline of what’s considered “normal” behavior, making it easier to identify anything abnormal.
By using this approach – which may involve machine learning and specialized algorithms – IT departments can better understand what’s happening on their networks regularly. Ultimately, by defining what’s typical, strange behaviors and anomalies become easier to detect, and the likelihood of false positives decreases.
By establishing a baseline of typical behavior, it’s possible to trigger security procedures when behavior outspreads beyond a defined range. For instance, if an employee always accesses his laptop from the Netherlands, usually from 9 am to 6 pm, and one day there is a login attempt in Chicago at 5 am, it might be a criminal attempting to access the network.
Of course, this person could simply be traveling. Therefore, the response may be to ask for additional authentication rather than an immediate lockout. If a user cannot provide the other credentials, the system will lock them out, but an authorized user can access the system without further issues.
The Human Factor: Your weakest link, your most significant asset
As human beings, we are prone to making mistakes, but when it comes to security, a small mistake can lead to a significant data breach, which happens often. Studies show that 46% of hacker attacks and cybersecurity incidents resulted from carelessness or lack of training. It’s a surprising number, but it may just be the tip of the iceberg, as it’s also reported that 21% of companies worldwide have employees admit to not reporting a security incident when it happens.
Currently, most companies struggle with the same dilemma: people are often the weakest link in the security chain. Sometimes, that email link to check the prize you just won or a ‘special offer’ that is too enticing to resist. Even though their gut may be telling them it sounds too good to be true, many people simply can’t help themselves: they have to click and see.
Two important psychological factors are at play here: a lack of understanding and desensitization. Targets of cybersecurity attacks are often vulnerable simply due to a lack of knowledge, and some end up in the same boat because they become desensitized to the threat.
Relying on machine learning can only go so far due to its deterministic outcomes. If situation A happens, the outcome should be B. Technology will never be able to replicate our intuition and the gut feeling we have that something might be off. And that intrinsically human ‘gut feeling’ can also be a company’s biggest asset. With constant training and Zero Trust policies, employees will be even more vigilant and suspicious of anything that looks slightly out of the ordinary. When we are more knowledgeable about the threats that are most likely to affect us, we can better prevent and detect them.
Educating the end-user
The mitigation of human error has to come from two angles: reducing opportunity and educating end users. At work, employees must be aware of the risks of clicking on links in emails from unknown senders or masquerading as known sources through techniques like address spoofing. And managers need to stress the importance of employee vigilance. More than that, it is necessary to use efficient technological solutions to automate the monitoring of systems and reduce the chances of error or irresponsibility. There is no silver bullet to remedy the human factor, but several solutions can be implemented to mitigate the potential of people creating risk.
In practical terms, using a holistic approach to insider threats and cybersecurity should reduce the scope for human error and help prevent breaches. Companies must create an effective security policy with formalized written rules and best practices. Providing employee training raises awareness and keeps users informed and vigilant, preventing possible mistakes. This approach benefits the entire organization as users become aware of the potential security risk their actions could trigger, encouraging them to be more cautious.
No matter how advanced technology becomes, online behavior will play a significant role in the success or failure of any system protection. Introducing the human-centric approach to the existing efforts to fight cybercrime and cyber threats is a must-do.