THE WEAKEST LINK
IN CYBER SECURITY

THE HUMAN FACTOR

Cyber Security Awareness and the Human Factor

Cyber Security Awareness and the Human Factor

Locked doors, security guards, and alarm systems used to be sufficient to protect an organization’s resources. Thieves had to put themselves at personal risk to steal anything of value.

No longer. The most valuable property a company owns — its data — can be stolen over an Internet connection. The thieves who steal this information are all over the world and nearly impossible to catch. Many receive training, and sometimes encouragement, from well-funded programs created by foreign governments.

Their work can destroy an enterprise’s reputation in an instant.

And hackers keep getting better! They create scams using an increasing array of psychological and technical tactics, making them harder to detect than ever before.

Cyber security is a top concern for most organizations.  Enterprise cybersecurity is now a strategic priority garnering significant company resources for highly trained personnel and an array of technology solutions aimed and a spectrum of threat vectors.  However, many organizations have directed limited resources at one of the most critical areas of risk exposure, people.  Significant risks come from the simple, daily mistakes made by employees and contractors at all levels.

Threat Vectors” — the vulnerabilities that hackers target — are everywhere. They’re even baked into the systems and technologies companies use to increase productivity and serve clients: email, BYOD (Bring Your Own Device), voicemail, and IoT (Internet of Things).

Additionally, remote work, contractors, and other employee situations expose data to hackers beyond corporate headquarters.

However, savvy organizations understand this and make a concerted effort to train employees regularly and thoroughly. They establish and communicate clear and evolving policies to meet the ever-changing world of cybercrime.

Though the world’s largest organizations have fallen prey to hackers, employees and contractors who are trained, prepared and actively participating in your internal cyber defense team can catch schemes before they happen — or report them before extensive damage is done.

Human Error in Cyber Security: What the Stats Say

Human Error in Cyber Security: What the Stats Say

As connected tech becomes increasingly ubiquitous, most of us tend to grow lax with security — especially if we haven’t experienced an attack. It’s tempting to believe lies like, “No one falls for that stuff anymore.” Or, when our freedom seems threatened, to say, “There’s no reason to get extreme about security protocol.”

But the data tells a different story. In 2018, hackers stole $500 million in personal records — 126% more than they did in 2017. One source estimates 44 records are stolen through cyber security breaches every second!

The stats about who’s to blame are confusing, but they all point in the same direction. For example, one study found that:

  • 71% of breaches come from careless mistakes made by employees
  • 68% are the result of employee negligence
  • 61% come from someone acting with malicious intent

Another study tells a more disconcerting story: human error is the cause of 90% of data breaches.

Whatever stats you reference, the most significant risk to an organization’s data does not come from bad actors. Instead, they come through simple, everyday mistakes — clicking the wrong link, giving information to the wrong person, or neglecting to follow an established policy.

Unfortunately, too many organizations aren’t doing what it takes to build and empower their internal cyber defense team combat the problem.

  • Only 45% have mandatory training in cybersecurity
  • Only 33% have a cyber security breach response plan
  • 90% of the people who should know better — IT pros! — underestimate the possibility of a phishing attack.

Organizations are rapidly working to build internal Cybersecurity Teams.  Often, these new business units report directly to the most senior executives.  However, finding qualified, experienced and highly training cybersecurity resources is a challenge as the supply of these individuals is far behind the demand.  Some reports indicate that there will likely be 3.5 million unfilled cybersecurity jobs in 2021.

The Weakest Link In Cyber Security:
The Human Factor

The most valuable property a company owns is its data. Download your PDF now to learn more about this critical aspect of cyber security.
WFO Guide Download

The Weakest Link In Cyber Security:
The Human Factor

The most valuable property a company owns is its data. Download your PDF now to learn more about this critical aspect of cyber security.
WFO Guide Download

Cyber Security Threat Vectors — The Human Factor

Cyber Security Threat Vectors — The Human Factor

Employees and subcontractors can leave an open door to hackers in a variety of ways. And since hackers find and exploit simple mistakes, vigilance is key.

Here are some possible avenues of attack, aka “Threat Vectors.”

Threat Vector #1: Social Engineering / Phishing Scams

Phishing is the most common — and most pernicious — Threat Vector. It’s easy to gain access to employees through a simple email or phone call.

Though everyone’s familiar with the “foreign prince” scam by now, hackers have moved on. They use advanced psychology to trick victims, tailoring their attacks to those they’re targeting.

First, Business Email Compromise (BEC) scams are emails designed to trick employees into giving up corporate information or passwords. They include subject lines containing words or phrases like “Urgent,” “Past Due,” or “Your Account May Be Suspended.” A link inside the email will usually lead to a familiar-looking webpage asking for a password.

Spear Phishing finds ways to imitate trustworthy colleagues, friends, or corporations. Well-designed and hard to spot, techniques include:

  • Email Spoof: Thoughsystemadministrator@apple.com” may spell “apple” with a lower-case “L,” a spoof will spell “appIe” with an upper-case “i”.
  • Domain Spoof: This is a fake email address created with a friend’s or colleague’s name plus “@yahoo.com” (or similar).
  • Close Cousin Spoof: Here, hackers add a slight modification to a familiar domain name. For example, com can become trustedsourceglobal.com or trustedsource.xyz.com.

Whaling Phishing targets high ranking members in a company. These are usually created by smart hackers who have done their homework, know their victim, and have devised an especially focused entrapment scheme.

Vishing, or Voice Phishing, is a technique where fraudsters trick targets into giving out sensitive data over the phone. Though the old schemes are easy to catch — poor quality phone connections and demands for data — new schemers use advanced manipulation tactics. Contact Center employees are especially vulnerable.

Threat Vector #2: Poor Employee Habits

Because we can all get a little “too comfortable” in our daily routine, it’s essential for every employee at an organization to self-diagnose bad habits. It’s also crucial for managers to notice and point them out.

Common negligent behaviors include:

  • Leaving a computer unlocked and unattended
  • Keeping passwords, strategic information, or sensitive notes on paper
  • Printing out, then leaving exposed, documents meant to stay secure
  • Sharing data with those not approved for access
  • Storing corporate data in unapproved apps
  • Sharing files or notes through unsecured means, including personal email, text messages, or file-sharing programs

Threat Vector #4: Shadow IT Purchases

Though your IT department may be working hard to make sure your data is protected, your employees and contractors may be, unknowingly, working against them.

For example, staff members with purchasing power often install favorite apps without oversight. But when the IT department hasn’t had the chance to integrate those apps in their security plan, employees leave a door open to hackers.

And it’s not just apps and other downloads. Departments may purchase smart appliances, webcams, or other IoT devices, not realizing they may be a source of exposure.

In most organizations, one-third of a company’s tech purchases are made without the CIO’s approval. The problem extends to all levels of the organization: 79% of C-Suite execs believe they can make IT purchases faster and more efficiently than their IT staff!

Threat Vector #3: BYOD (Bring Your Own Device)

When companies allow employees to use their own devices, the result can be a win-win. Generally, staff members are happier and more productive when using their own devices, and the organization saves money in the short term.

However, cyber security policies often don’t keep up with BYOD. Since IT departments rarely (if ever) scan or review personal devices, risks present themselves when employees:

  • Use unfiltered or unsecured Wi-Fi
  • Install an app with hidden malware
  • Access a corporate network through a compromised device
  • Lose a device containing sensitive data
  • Leave a company but keep corporate apps and data saved on their device

Threat Vector #5: Remote Workers and External Vendors

When employees work from home or public places, it’s vital to create and communicate policies and procedures to protect data.

External vendors and subcontractors bring their own bad habits, dysfunctions, and cyber security risks with them. They can do much damage if:

  • Their devices go unscanned
  • They don’t understand corporate policy clearly
  • They have unsegmented access to the network
  • The end of their contract doesn’t coincide with a loss of access
  • They don’t participate in company-wide training

All of these off-campus workers are prone to access the Internet over unsecured Wi-Fi in coffee shops, airports, and at home.

Cyber Security Breach Examples

Cyber Security Breach Examples

Yes, it happens. And it’s not just small businesses with non-existent IT departments. Employees in the largest organizations make mistakes that put vital information at risk.

Info for the CEO

In one successful whaling scheme, a highly placed SnapChat employee received an email from a fraudster named “Spiegel.” The hacker asked for a copy of the company’s payroll information. Believing the email had come from company CEO Evan Spiegel, the employee replied with the requested information immediately.

Help Request

An employee working for the City of Calgary sent an email requesting technical assistance from a worker in another municipality. The request, sent both to the recipient’s home and work addresses, contained the names and salary information for more than 3700 fellow city employees.

Recycling

An employee working for Idaho Power recycled 230 hard drives by posting them on eBay. However, the employee sold and shipped the hard drives before IT could wipe them clean.

Passwords Anyone?

An employee for US government contractor Booz Allen Hamilton inadvertently and temporarily posted several of the National Geospatial-Intelligence Agency’s passwords online.

The Danger of Print

Finally, who could be more vigilant than a Department of Homeland Security employee? However, one DHS employee brought paper copies of an anti-terror Super Bowl plan on a flight, then forgot them. A CNN reporter returned them safely (but still reported on the incident!).

Cyber Security
Closing the Gap on the Human Element

Cyber Security
Closing the Gap on the Human Element

It’s easy for employees and contractors to make mistakes that can cost an organization millions of dollars, expose sensitive information, and damage reputation for years to come. The variety of scams and the propensity for human error make it all too easy for hackers to take advantage.

But every organization can help keep “the human element” at bay:

  • Limiting access and properly segmenting servers
  • Keeping a close eye on the work of subcontractors
  • Solidifying security protocol and best practices guidelines
  • Clearly sharing those guidelines

Even so, we all tend to forget what we’ve learned. Employees need regular and detailed training. They should be able to spot a current phishing scheme and know how to report it. And employees should feel comfortable reporting mistakes immediately.

This is true throughout the organization — members of the C-Suite can’t miss out on trainings or subvert policies. No one can be “above the rules.”

LIVE TRAINING WORKSHOP

Get Training, Today!

Unleash your most powerful line of defense, your human resources.

This interactive, 90-minute workshop will instantly show results. Your employees and contractors will now have key insights and understandings that bridge both their home life and business life to create heightened awareness, new behaviors and a proactive approach to protecting the things that matter most.

Security Awareness Training

LIVE TRAINING WORKSHOP

Get Training, Today!

Unleash your most powerful line of defense, your human resources.

This interactive, 90-minute workshop will instantly show results. Your employees and contractors will now have key insights and understandings that bridge both their home life and business life to create heightened awareness, new behaviors and a proactive approach to protecting the things that matter most.

Security Awareness Training

Cyber Security and Cyber Security Training
Part of the VOX Lifecycle

Cyber Security and Cyber Security Training
Part of the VOX Lifecycle

Keeping your organization secure is hard work. Creating clear guidelines — then communicating them in a quickly changing landscape — can be difficult. Sometimes, CIOs and HR departments find themselves in a tough spot, needing to change the culture from the top down.

That’s why Cyber Security Training is part of the VOX Lifecycle. We help you establish a set of best practices, then communicate them clearly on your behalf. We come alongside your team, customize our presentations to your industry and culture, then help your organization stay up-to-date and informed.

It’s all part of our suite of services to keep clients — and those they serve — protected from data breaches.

SECURITY AWARENESS TRAINING

The simplest, quickest and least expensive way to reduce your organization’s risk profile and reduce the likelihood of a cyber security breach is to educate and inform your people. Your employees and contractors have a vested interest in your organization’s success, they want to protect your business, clients and critical assets. So, enlist their help!

Through VOX Security Awareness Training, you will unleash your most powerful line of defense, your human resources. This interactive, 90-minute workshop will instantly show results. Your employees and contractors will now have key insights and understandings that bridge both their home life and business life to create heightened awareness, new behaviors and a proactive approach to protecting the things that matter most.

POLICY & ACCESS CONTROL

Unify and manage your entire company’s network and data access privileges from a centralized dashboard accounting for user roles, device types, location, and time-of-day. Ensure access to all of those that need it while seamlessly turning away unauthorized parties.

 

FIREWALLS

Firewalls actively monitor incoming and outgoing network traffic, allowing authorized access to pass through with little difficulty while inspecting and quarantining threats and suspicious activity to keep your system secure.

 

EMAIL SECURITY

Create monitoring mechanisms to ensure data integrity and discretion through email applications by encrypting emails, implementing antivirus software and utilizing stringent account credential paradigms.

 

SECURITY MANAGEMENT

Monitor and analyze how your entire network’s security functions are performing from a single, unified dashboard to ensure consistent policy enforcement and handle any potential threats.

Get to know…

VOX LIFECYCLE

“Make informed decisions to achieve your desired business outcomes.”
HIGHLIGHTS
A Consultative Approach
High-Touch Partnership
Prescriptive Methodology
Robust Customer Success Plan
Process, Tech & Risk Assessments
ROUTER SECURITY

Routers select the fastest and most efficient paths for data to travel in a network. If compromised, suspicious agents could transition control of a single device, to an entire network. By securing routers, you can quarantine threats and prevent unwanted intrusions.

MALWARE PROTECTION

Engage comprehensive threat analytics, behavior indicators and fully operational malware detection to effectively prevent attacks and defend against hostile or intrusive Trojans, viruses and other malicious software.

INTRUSION PREVENTION SYSTEMS (IPS)

While firewalls prevent the unauthorized access into a network, IPS actively monitor activity of devices, applications and communications within the network to identify threats and breaches of network security and acting should they arise.

VPN SECURITY CLIENTS

A virtual private network allows users to securely access private company networks remotely. By utilizing a security client to manage these VPNs, you can actively manage security gateways, access profiles, data encryption protocols and employ diagnostic information to ensure secure communications.

WEB SECURITY

By utilizing security gateways, web filtering, DNS, and application control, you can protect your employees and your network from suspicious websites and other unseen threats.

If you’re ready to get the power and protection of VOX Security on your side,
contact a VOX Transformational Guru today.
Shares
Share This