THE WEAKEST LINK
IN CYBER SECURITY

THE HUMAN FACTOR

Cyber Security Awareness and the Human Factor

Locked doors, security guards, and alarm systems used to be sufficient to protect an organization’s resources. Thieves had to put themselves at personal risk to steal anything of value.

No longer. The most valuable property a company owns — its data — can be stolen over an Internet connection in the absence of cyber security measures. The thieves who steal this information are all over the world and nearly impossible to catch. Many receive training, and sometimes encouragement, from well-funded programs created by foreign governments.

Their work can destroy an enterprise’s reputation in an instant.

And hackers keep getting better! They create scams using an increasing array of psychological and technical tactics, making them harder to detect than ever before.

Cybersecurity is a top priority for most organizations. Enterprise cybersecurity is now a strategic priority garnering significant company resources for highly trained personnel and an array of technology solutions aimed and a spectrum of threat vectors. However, many organizations have directed limited resources at one of the most critical areas of risk exposure, people. Significant risks come from the simple, daily mistakes made by employees and contractors at all levels. Humans are the weakest link in cyber security.

“Threat Vectors” — the vulnerabilities that hackers target — are everywhere. They’re even baked into the systems and technologies companies use to increase productivity and serve clients: email, BYOD (Bring Your Own Device), voicemail, and IoT (Internet of Things). Thus encouraging cybersecurity human factor risks.

Additionally, remote work, contractors, and other employee situations expose data to hackers beyond corporate headquarters and further increase human factor cyber security risks.

However, savvy organizations understand the human factor in cyber security and make a concerted effort to train employees regularly and thoroughly. Recognizing the human factor in cyber security, they establish and communicate clear and evolving policies to meet the ever-changing world of cybercrime.

Though the world’s largest organizations have fallen prey to hackers, employees and contractors who are trained, prepared and actively participating in your internal cyber defense team can catch schemes before they happen — or report them before extensive damage is done.

Human Factor in Cyber Security: What the Stats Say

As connected tech becomes increasingly ubiquitous, most of us tend to grow lax with security — especially if we haven’t experienced an attack. It’s tempting to believe lies like, “No one falls for that stuff anymore.” Or, when our freedom seems threatened, to say, “There’s no reason to get extreme about security protocol.”

But the human factor in cybersecurity data tells a different story. In 2018, hackers stole $500 million in personal records — 126% more than they did in 2017. One source estimates 44 records are stolen through cyber security breaches every second!

The stats about the human factor in security are confusing, but they all point in the same direction. For example, one study found that:

71% of breaches come from careless mistakes made by employees
68% are the result of employee negligence
61% come from someone acting with malicious intent

Another study tells a more disconcerting story: the human factor in cyber security is the cause of 90% of data breaches.

Whatever stats you reference, the most significant risk to an organization’s data does not come from bad actors. Instead, they come through simple, everyday mistakes — clicking the wrong link, giving information to the wrong person, or neglecting to follow an established policy.

Unfortunately, too many organizations aren’t doing what it takes to build and empower their internal cyber defense team combat the problem.

Only 45% have mandatory training in cybersecurity
Only 33% have a cyber security breach response plan
90% of the people who should know better — IT pros! — underestimate the possibility of a phishing attack.

Organizations are rapidly working to build internal Human Factors Cybersecurity Teams. Often, these new business units report directly to the most senior executives. However, finding qualified, experienced and highly training cybersecurity resources is a challenge as the supply of these individuals is far behind the demand. Some reports indicate that there will likely be 3.5 million unfilled cybersecurity jobs in 2021.

Cyber Security Threat Vectors — The Human Factor

Employees and subcontractors can leave an open door to hackers in a variety of ways. And since hackers find and exploit simple mistakes, vigilance is key.

Here are some possible avenues of attack, aka “Threat Vectors.”

Threat Vector #1: Social Engineering / Phishing Scams

Phishing is the most common — and most pernicious — Threat Vector. It’s easy to gain access to employees through a simple email or phone call.

Though everyone’s familiar with the “foreign prince” scam by now, hackers have moved on. They use advanced psychology to trick victims, tailoring their attacks to those they’re targeting in the absence of awareness about cyber security human factors.

First, Business Email Compromise (BEC) scams are emails designed to trick employees into giving up corporate information or passwords. They include subject lines containing words or phrases like “Urgent,” “Past Due,” or “Your Account May Be Suspended.” A link inside the email will usually lead to a familiar-looking webpage asking for a password.

Spear Phishing finds ways to imitate trustworthy colleagues, friends, or corporations. Well-designed and hard to spot, techniques include breaching human factor security:

Email Spoof: Though “systemadministrator@apple.com” may spell “apple” with a lower-case “L,” a spoof will spell “appIe” with an upper-case “i”.
Domain Spoof: This is a fake email address created with a friend’s or colleague’s name plus “@yahoo.com” (or similar).
Close Cousin Spoof: Here, hackers add a slight modification to a familiar domain name. For example, com can become trustedsourceglobal.com or trustedsource.xyz.com.

Whaling Phishing targets high ranking members in a company. These are usually created by smart hackers who have done their homework, know their victim, and have devised an especially focused entrapment scheme.

Vishing, or Voice Phishing, is a technique where fraudsters trick targets into giving out sensitive data over the phone. Though the old schemes are easy to catch — poor quality phone connections and demands for data — new schemers use advanced manipulation tactics. Contact Center employees are especially vulnerable.

Threat Vector #2: Poor Employee Habits

Because we can all get a little “too comfortable” in our daily routine forgetting the human factor in security services, it’s essential for every employee at an organization to self-diagnose bad habits. It’s also crucial for managers to notice cyber security human factor risks and point them out.

Common negligent behaviors include:

Leaving a computer unlocked and unattended
Keeping passwords, strategic information, or sensitive notes on paper
Printing out, then leaving exposed, documents meant to stay secure
Sharing data with those not approved for access
Storing corporate data in unapproved apps
Sharing files or notes through unsecured means, including personal email, text messages, or file-sharing programs

Threat Vector #4: Shadow IT Purchases

Though your IT department may be working hard to make sure your data is protected, your employees and contractors may be, unknowingly, working against them.

For example, staff members with purchasing power often install favorite apps without oversight. But when the IT department hasn’t had the chance to integrate those apps in their security plan, employees leave a door open to hackers.

And it’s not just apps and other downloads. Departments may purchase smart appliances, webcams, or other IoT devices, not realizing they may be a source of exposure. The Human factor in cyber security is perhaps the biggest challenge to your IT department.

In most organizations, one-third of a company’s tech purchases are made without the CIO’s approval. The problem extends to all levels of the organization: 79% of C-Suite execs believe they can make IT purchases faster and more efficiently than their IT staff!

Threat Vector #3: BYOD (Bring Your Own Device)

When companies allow employees to use their own devices, the result can be a win-win. Generally, staff members are happier and more productive when using their own devices, and the organization saves money in the short term.

However, cyber security policies often don’t keep up with BYOD. Since IT departments rarely (if ever) scan or review personal devices, risks present themselves when employees:

Use unfiltered or unsecured Wi-Fi
Install an app with hidden malware
Access a corporate network through a compromised device
Lose a device containing sensitive data
Leave a company but keep corporate apps and data saved on their device

Threat Vector #5: Remote Workers and External Vendors

When employees work from home or public places, it’s vital to create and communicate policies and procedures to protect data.

External vendors and subcontractors bring their own bad habits, dysfunctions, and therefore cyber security human factor risks with them. They can do much damage if:

Their devices go unscanned
They don’t understand corporate policy clearly
They have unsegmented access to the network
The end of their contract doesn’t coincide with a loss of access
They don’t participate in company-wide training

All of these off-campus workers are prone to access the Internet over unsecured Wi-Fi in coffee shops, airports, and at home.

Cyber Security Breach Examples

Yes, it happens. And it’s not just small businesses with non-existent IT departments. Employees in the largest organizations make mistakes that put vital information at risk.



Info for the CEO

In one successful whaling scheme, a highly placed SnapChat employee received an email from a fraudster named “Spiegel.” The hacker asked for a copy of the company’s payroll information. Believing the email had come from company CEO Evan Spiegel, the employee replied with the requested information immediately.



Help Request

An employee working for the City of Calgary sent an email requesting technical assistance from a worker in another municipality. The request, sent both to the recipient’s home and work addresses, contained the names and salary information for more than 3700 fellow city employees.



Recycling

An employee working for Idaho Power recycled 230 hard drives by posting them on eBay. However, the employee sold and shipped the hard drives before IT could wipe them clean.



Passwords Anyone?

An employee for US government contractor Booz Allen Hamilton inadvertently and temporarily posted several of the National Geospatial-Intelligence Agency’s passwords online.



The Danger of Print

Finally, who could be more vigilant than a Department of Homeland Security employee? However, one DHS employee brought paper copies of an anti-terror Super Bowl plan on a flight, then forgot them. A CNN reporter returned them safely (but still reported on the incident!).

Cyber Security
Closing the Gap on the Human Element

It’s easy for employees and contractors to make mistakes that can cost an organization millions of dollars, expose sensitive information, and damage reputation for years to come in the absence of cyber security human factor awareness.The variety of scams and the propensity for human factors in cyber security make it all too easy for hackers to take advantage.

But every organization can help keep “the human element” at bay:

Limiting access and properly segmenting servers
Keeping a close eye on the work of subcontractors
Solidifying security protocol and best practices guidelines
Clearly sharing those guidelines

Even so, we all tend to forget what we’ve learned. Employees need regular and detailed training on cybersecurity human factor risks. They should be able to spot a current phishing scheme and know how to report it. And employees should feel comfortable reporting mistakes immediately.

This is true throughout the organization — members of the C-Suite can’t miss out on trainings on human factor risks in cyber security or subvert policies. No one can be “above the rules.”

LIVE TRAINING WORKSHOP

Get Training, Today!

Unleash your most powerful line of defense, your human resources.

This interactive, 90-minute workshop will instantly show results. Your employees and contractors will now have key insights and understandings that bridge both their home life and business life to create heightened awareness, new behaviors and a proactive approach to protecting the things that matter most.

Learn more

LIVE TRAINING WORKSHOP

Get Training, Today!

Unleash your most powerful line of defense, your human resources.

This interactive, 90-minute workshop will instantly show results. Your employees and contractors will now have key insights and understandings that bridge both their home life and business life to create heightened awareness, new behaviors and a proactive approach to protecting the things that matter most.

Learn more

Cyber Security and Cyber Security Training
Part of the VOX Lifecycle

Keeping your organization secure is hard work. Creating clear guidelines — then communicating them in a quickly changing landscape — can be difficult. Sometimes, CIOs and HR departments find themselves in a tough spot, needing to change the culture from the top down.

That’s why Cyber Security Training is part of the VOX Lifecycle. We help you establish a set of best practices, then communicate them clearly on your behalf. We come alongside your team, customize our presentations to your industry and culture, then help your organization stay up-to-date and informed.

It’s all part of our suite of services to keep clients — and those they serve — protected from data breaches.

SECURITY AWARENESS TRAINING

The simplest, quickest and least expensive way to reduce your organization’s risk profile and reduce the likelihood of a cyber security breach is to educate and inform your people. Your employees and contractors have a vested interest in your organization’s success, they want to protect your business, clients and critical assets. So, enlist their help!

Through VOX Security Awareness Training, you will unleash your most powerful line of defense, your human resources. This interactive, 90-minute workshop will instantly show results. Your employees and contractors will now have key insights and understandings that bridge both their home life and business life to create heightened awareness, new behaviors and a proactive approach to protecting the things that matter most.

POLICY & ACCESS CONTROL

Unify and manage your entire company’s network and data access privileges from a centralized dashboard accounting for user roles, device types, location, and time-of-day. Ensure access to all of those that need it while seamlessly turning away unauthorized parties.

FIREWALLS

Firewalls actively monitor incoming and outgoing network traffic, allowing authorized access to pass through with little difficulty while inspecting and quarantining threats and suspicious activity to keep your system secure.

EMAIL SECURITY

Create monitoring mechanisms to ensure data integrity and discretion through email applications by encrypting emails, implementing antivirus software and utilizing stringent account credential paradigms.

SECURITY MANAGEMENT

Monitor and analyze how your entire network’s security functions are performing from a single, unified dashboard to ensure consistent policy enforcement and handle any potential threats.

Get to know…

VOX LIFECYCLE

“Make informed decisions to achieve your desired business outcomes.”

HIGHLIGHTS

A Consultative Approach
High-Touch Partnership
Prescriptive Methodology
Robust Customer Success Plan
Process, Tech & Risk Assessments

LEARN MORE

ROUTER SECURITY

Routers select the fastest and most efficient paths for data to travel in a network. If compromised, suspicious agents could transition control of a single device, to an entire network. By securing routers, you can quarantine threats and prevent unwanted intrusions.

MALWARE PROTECTION

Engage comprehensive threat analytics, behavior indicators and fully operational malware detection to effectively prevent attacks and defend against hostile or intrusive Trojans, viruses and other malicious software.

INTRUSION PREVENTION SYSTEMS (IPS)

While firewalls prevent the unauthorized access into a network, IPS actively monitor activity of devices, applications and communications within the network to identify threats and breaches of network security and acting should they arise.

VPN SECURITY CLIENTS

A virtual private network allows users to securely access private company networks remotely. By utilizing a security client to manage these VPNs, you can actively manage security gateways, access profiles, data encryption protocols and employ diagnostic information to ensure secure communications.

WEB SECURITY

By utilizing security gateways, web filtering, DNS, and application control, you can protect your employees and your network from suspicious websites and other unseen threats.

If you’re ready to get the power and protection of VOX Security on your side,
contact a VOX Transformational Guru today.

THE WEAKEST LINK IN CYBER SECURITY