Human after all: Exposing the cybersecurity gap
Human after all: Exposing the cybersecurity gap
When it comes to cybersecurity, you are the weakest link.
You can have all the protection mechanisms in the world in place, but one human interaction can make all the difference. That’s the message that came through loud and clear from the panel of experts I recently had the pleasure of facilitating at Networx Brisbane’s Cybersecurity + Data Ethics event.
While cyber threats are always evolving, the panel insisted that social engineering – the art of the con, exploiting human error and psychology – remains the most effective way to bypass any organisation’s defences.
“Social engineering is the art of a scammer convincing you to hand over information,” explained Jon Mello, head of business development at cybersecurity platform Practice Protect. “It’s not hacking, in any technical sense – it’s tricking.
“Phishing is social engineering. CEO scams are common social engineering tricks. Someone in a company will receive an email that looks legitimate from someone pretending to be their CEO. The scammer will try to create a sense of urgency, and they’ll do their homework. They’ll research the business. They’ll find out who the CEO is. If a company puts their team members’ email addresses online, it makes it even easier for them to target and impersonate those addresses.”
Matt Butts, principal security consultant at cybersecurity provider Equate Technologies, explained that while social engineering scams have existed for hundreds of years, in one form or another, they remain effective because they target the most vulnerable link in the chain.
“Humans are the biggest risk,” Butts said. “You need to make sure that your team knows what to do. They need to know how to identify malicious and fraudulent emails and appropriately respond, and they need to take due diligence to ensure that a request that seems out of the ordinary is legitimate – perhaps via a phone call with the person making the request.
“You can put technical controls in place that attempt to filter those malicious emails out, but in most cases, those filters don’t protect organisations from phishing attacks. And if an attacker can convince a user to do something for the attacker’s benefit, then they’ve effectively bypassed all of the security controls that an organisation has put in place.”
Even relatively sophisticated cyber attacks can be made possible by human error. John Powell, principal security consultant at consulting service Telstra Purple, related the story of how one of his colleagues was able to demonstrate just how easy it was to gain access to an organisation’s secure files.
“They walked into an organisation’s offices and went to a public floor of the building,” Powell said. “There was a staff member at a computer and a couple of areas for members of the public to sit. When the staff member left her desk, my colleague put a small USB device between the staff member’s computer and her keyboard. It was a keylogger, a program that recorded all her keystrokes.
“My colleague then went away and waited for the staff member to come back. He then approached her and said, ‘Hi, I’m from the IT department, and we’re making some changes to improve the logon speeds. Just wondering if you could help us out. Can you log off and log back in again so we can see if it’s any faster?’ She logged off and logged back in, and he collected her password on the keylogger.
“He walked away, waited until she’d gone, and then came back and got his keylogger. He then followed someone else down a set of steps to another floor, tailgated them through a secure door, plugged his keylogger into a computer, logged in with the stolen password on a computer in a secure area, and gained access to their active directory structure.”
The panel agreed that cyber attacks are often the result of apathy. Butts said most people don’t think an attack could happen to them, or have any sense of what’s at stake.
“A lot of organisations don’t know what they need to protect,” he said. “They don’t understand what their digital assets are – whether it’s intellectual property or financial information or data they’ve collected from their users – and they don’t understand the risk to those assets. And that, I think, is the key.”
How to strengthen the weakest link
Each panelist agreed that cybersecurity training for employees is essential for organisations looking to safeguard themselves against attacks – but, Jon Mello stressed, culture is just as important.
“Like anything in business, it’s about the culture you create,” he said. “In this case, you need to create a culture where it’s OK to admit you’ve made a mistake.”
While it might be tempting to punish those who fall for social engineering scams and allow costly cyber attacks to happen, John Powell agreed that the most important thing is to create an environment where employees feel comfortable coming forward to alert their organisation of potential threats.
“Culture comes from the top down,” he said. “If we create the expectation of punishment for anybody who does the wrong thing… if the board does that to the CEO, and the CEO does that to his executives, and that filters down [to everybody else], then everybody says, ‘I’m just not going to say anything’. But if the board and the CEO say, ‘This is OK … well, it’s not really OK, but we’re not going to punish you for it. What we’re going to do is help you to deal with it better next time, and put things in place to help you deal with scammers.’ That creates a culture where people are willing to come forward and say, ‘You know what? I think I stuffed up.’”
Similarly, Powell said much of the apathy at the heart of the problem comes down to a lack of communication between IT staff and management.
“One of the things I’ve noticed over a number of years in dealing with cybersecurity is that it’s an area that doesn’t get looked at as much by the highest levels of business,” he said. “I think a lot of that is due to a lack of understanding, or a lack of information progressing up the chain that people can actually understand.
“It’s always looked at as a black box, you know? Technology – we’ll leave it to the guys who know how to do that. The problem is that the responsibility for the business rests fairly and squarely with the directors… data and cybersecurity is a key component of what directors need to be aware of so they can discharge their duties of care and diligence appropriately. There needs to be people there who can inform them so they can make the right decisions.
Powell explained that the technical jargon beloved by IT departments can make it difficult for organisations to have the necessary conversations about cybersecurity.
“The information coming from the IT department needs to be translated into ‘business speak’, not ‘technical speak’, to make it resonate,” Powell said. “Very simply, the board wants to know what the risks are and how they’re being mitigated.
“For instance, if there was a limit to the amount of storage we had, and we’d hit the cap on that storage, I could put that in very technical terms. I could talk about storage arrays and RAID groups. But nobody higher up would know what I was talking about. It’s all jargon, and the person at or near the top of the business just wants to know one thing – is this going to affect the way we work?
“What they want to hear is, ‘We have a problem with storage, this is the risk if we don’t resolve it, and this is the amount of money that’s required to resolve it’. They don’t want to know how you’re doing it, they just want to know if their business is going to keep operating.”
Top tips
John Powell advised that “failure to manage information risk will be your judge; the online world, your jury”. Powell also recommended that businesses familiarise themselves with the Australian Cyber Security Centre’s ‘Essential Eight’ mitigation strategies, and Telstra’s ‘Five Knows’ of cybersecurity:
- Know the value of your data.
- Know who has access to your data.
- Know where your data is.
- Know who is protecting your data.
- Know how well your data is protected
Matt Butts advised businesses and employees to put the necessary safeguards in place to protect their digital identity. Introduce a banner on external email to warn users to exercise caution (a feature available on Microsoft 365 and Google Apps).
Learn to recognise fraudulent messages by looking for spelling and grammar mistakes and unusual requests.
- Confirm with phone conversations when in doubt.
- Use multi-factor authentication where possible.
- Don’t use the same password for multiple accounts.
- Use a password manager to keep track of your accounts – whether it’s a program like Lastpass or 1password, or even just a black book that you keep safe.
Finally, Jon Mello urged attendees to take a multi-layered approach to cybersecurity.
- Secure your company passwords.
- Secure your company devices.
- Train your team to spot scams.
You’re only as strong as your weakest link – but, as this panel demonstrated, there are always ways to strengthen that link and prevent your chain from being broken.
The year’s final Networx Brisbane event, Strategy & Innovation for 2021 & Xmas Party, will be held on November 24 (the venue is to be confirmed). For more information and to book tickets, visit the Networx Brisbane website.