Employees - Your Weakest Link
Before the 1990s, IT was primarily focused on Technology. It wasn’t until Bruce Schneier, a renowned pioneer in the field of Cybersecurity, familiarised us with the organisational interrelationship between People, Processes, and Technology (the ‘PPT framework’).
The PPT framework emphasises that these three elements work together in harmony to achieve optimal (security-related, in our case) results.
In this article, we’ve focused on the first P in that equation: the people, staff, employees—whatever label you wish. These are and will always be a company’s greatest asset. No matter how much automation and systematisation a company decides to implement, the team will always be of the greatest value.
AI and automation have done immeasurable wonders for business efficiency, but your customers will almost always prefer to speak with a human being when working through their problems. This is because your team will be able to do, think, and feel things that your ‘system’ won’t.
Body, mind, and spirit cannot be replicated technically.
As humans are social creatures, discretion and judgement invariably work dynamically to survey opportunities and assess threats in different environments.
That leads us to the other side of the same coin—weakness.
The social nature of humans is what leaves them vulnerable to manipulation or deception. In cybersecurity, this is known as social engineering.
The 2023 Thales Global Security Study surveyed nearly 3,000 companies and found that human error accounts for 55% of data breaches. More comprehensively, another report by the Cyber Edge Group suggests that 82% of all cyber-attacks involve a human element. We think it’s much higher.
Let’s look at a simple textbook example: phishing.
You may know better than to click on a conspicuously suspicious-looking link, but does your team hold the same professional scepticism?
Many of the reports and surveys you’ll find online indicate that phishing attacks are still prevalent and that 80%+ of organisations still experience them despite the fact they’ve been around since what can feel like time immemorial.
The truth is that if phishing attacks were not still effective, they would not garner much of the attention they still do today. Besides, phishing links are not always so obviously malicious, and attackers have made efforts to create more benign links to increase the likelihood of the target accessing them.
It doesn’t stop there, either. Personnel involvement can compromise security in many ways.
Here are a few:
Weak passwords;
Unpatched software & devices;
Data mishandling;
Misconfigured systems; and
Unauthorised access
Unauthorised access has been a closely followed area of security in the past few years due to its fundamental nature as a secure system.
Unauthorised access occurs when an individual or entity gains access to resources, systems, or data without permission. If a business does not have appropriate access controls in place, an attacker’s access to an employee’s user account could spell disaster.
If that account belongs to a staff member who has excessive privileges to perform functions not necessary to do his job, the potential damage will start to compound.
To mitigate the likelihood of such breaches, many businesses have been investing in robust Identity and Governance Administration (IGA) solutions. Alongside maintaining robust security protocols, these IGA solutions also create a great deal of efficiency within a company by saving a lot of time in provisioning and de-provisioning accounts and all their respective access when a company has new joiners or leavers.
However, the types of businesses you’ll typically see with these solutions are large corporates, and the reason is that they are eye-wateringly expensive.
There may also be a greater need for such products in more prominent companies, where things are fast changing, and people often move around. However, this doesn’t mean that SMEs should accept this paywall as a legitimate reason to be apathetic to access management. We’ve already seen an increase in ransomware attacks targeted at SMEs, so it’s more important now than ever to ensure a strong security posture for all types of businesses handling sensitive data or being dependent on having access to their systems to engage in commerce.
To address this, partnering with a smaller security consultancy specialising in servicing SMEs may be a viable alternative to achieving desired outcomes.
Having said all of that, implementing any sole solution (or combination of the same) is not a foolproof method to 100% security, irrespective of how many minerals it has cost you to build into your organisation. Where possible, it’s best practice to use technology to remove human input where possible to reduce the chances of human error causing issues later down the line, but it cannot be eliminated entirely. In the above example, an IGA solution must still be furnished with a regular, informed, cost-effective cyber hygiene education delivered to the workforce.
If you have read along to this point, you’ve familiarised yourself with some of the high-level components of a commonly orchestrated cyber attack, possibly without knowing.
Before we wrap up, let’s spell out what this may look like:
Gaining Initial Access
Hackers usually start with phishing attacks, sending targeted emails or messages that deceive employees into revealing sensitive information, such as login credentials, or installing malware on their devices. These messages often appear to come from trusted sources like a CEO or the IT department. Social engineering is another method used, where attackers psychologically manipulate their target through phone calls, in-person interactions, or online chats to dupe employees into divulging confidential information. Finally, pretexting is an interesting one which involves creating fake scenarios, such as pretending to be a new employee or a vendor, to gain trust and access.
Whatever the method, the focus is clear—get a foothold into the system.
Moving Within the Network
Once inside, hackers use compromised credentials to access other systems, a technique known as credential reuse. They may also deploy sophisticated tools to navigate the network, exploiting weaknesses in system configurations and architecture. This is a significant problem when these systems have been insecurely constructed or configured—something you won’t know before conducting special assessments.
The goal again is simple—move laterally within the network and gain access to more critical areas.
Escalating Privileges
To deepen their control, the attackers could exploit software vulnerabilities to gain elevated privileges. They might use techniques like pass-the-hash, where they authenticate to other systems with compromised credentials without knowing the actual password, or token impersonation, where they steal authentication tokens to impersonate users and gain higher access levels.
The important thing for the attacker is that they successfully elevate their privilege to perform more exclusive and powerful functions.
The impact of these attacks can be devastating. Through such procedures, an attacker can steal sensitive data, such as financial information, personally identifiable information, or intellectual property. Ransomware attacks, in particular, are on the rise and can encrypt critical data or systems, demanding payment for decryption keys, leading to operational disruption, downtime, and financial losses. Malware deployment and account takeovers can further compromise systems, leading to data theft or operational disruption.
In conclusion, securing your business requires recognising the critical role of employees in your security strategy. By understanding how hackers exploit human vulnerabilities and implementing comprehensive security measures, you can significantly strengthen your organisation’s defence against cyber threats, and it starts with educating them.