The weakest link (with related video)
As information security technology continues to advance, it is not difficult to believe that human error represents the biggest threat to the ability of such technology to protect an enterprise's communications network. Indeed, there are more than enough examples of human interactions compromising high-profile security systems, yet many executives retain a false sense of security that comes with the latest threat-monitoring technologies.
Consequently, IT security systems may be the foundation for a strong protection plan but they are hardly the full solution. All it takes is for one employee to click on a targeted phishing e-mail and everything could be lost. So what do companies need to consider in order to cover all the bases when it comes to information security?
The first step is coming to terms with the countless threats posed by simple human behavior. Organizational leaders — the ones who have access to sensitive information — often hold an improper sense of their role in security. While executives may be aware of possible security threats, they often see themselves as protected by the IT department and their organization's security infrastructure. The fact that they ultimately are a vital participant in the security process is often ignored, which drastically increases the chances of a crucial mistake.
This phenomenon often translates to company business processes as well. This is especially true when it comes to cost concerns. Often, should a cybersecurity process add costs, slow workflow or be perceived as extraneous, it will not be stressed as an important operational guideline. Small businesses especially are susceptible to this, as revenue often is limited and security attacks often are viewed as a low possibility. Employees on a time crunch often feel the same way. While they may have knowledge of security protocol, it isn't always their top consideration while working on a project.
The result is the security gap that hackers seek. A study by Internet security–awareness firm KnowBe4 found that 43% of tested employees clicked on a simulated phishing or malware attack link. Another exercise, conducted by the Department of Homeland Security last June, found that 60% of workers plugged a USB device that they found in the parking lot into their office computers. When the device was imprinted with an official logo, the number of installations jumped to 90%.
These incidents, frightening as they are, represent just a few of the ways that hackers are exploiting human behavior to acquire company data. As mobile, cloud computing and social media technologies continue to grow, so will the security concerns associated with them. Another top security problem that every business potentially could encounter is a disgruntled employee walking out the door with company secrets.
For all of these reasons, a strong information security system must evolve continually. Moreover, while there is no guaranteed solution, organizational leaders must incorporate the human element into their cybersecurity plans.
One way to accomplish this is through periodic reviews and audits of regular business policies and procedures. Comprehensive security protocols teach leadership proper responses to cybersecurity incidents. Regular reviews and updates to these guidelines keep sound information security behavior both current and top-of-mind.
The next step after proper procedures are put in place is training. This also should occur regularly, as random reminders often get ignored. Instead, set up granular training exercises designed specifically to address problematic security behaviors. Senior leadership should not get a pass on these training requirements. In fact, any employee who has access to secure data is the most likely to be attacked.
Of course, there are costs to implementing proper security measures and companies need to find the right balance between human and technological elements. There is no doubt that the newest security technology will come at a price. Human-based security procedures have their consequences as well, usually in the form of less privacy in the workplace. But in order to protect secure information, employees must be made aware of what data the company owns, where they can access it and who ultimately will be responsible for it.
On a higher level, more work needs to be done to pinpoint the human behaviors that cause information security breaches. As new technology continues to emerge, organizations need to better understand how employees use these devices and what procedures will help eliminate the security threats associated with them. Security technology itself also needs to better recognize potential threats and indicate danger to the users. An improvement in both human interactions and recognition technology significantly can cut down the common-sense mistakes that often lead to breaches.
Indeed, the responsibility of information security lies with each and every employee. Senior leadership needs to familiarize themselves with their employees and trust they can take the proper precautions to protect sensitive information. Criminals take the time and energy to identify key stakeholders and target their attacks. Management should be identifying those same stakeholders to better educate them on security procedures.
The fact is that human vulnerability always will exist within the context of information security. Organizations willing to invest in proper protocol and training can help reduce those threats, but they cannot afford to grow complacent. Stay up to date with the latest security news and pass relevant information down to all levels of employees. Resistance to change, individual scrutiny and human curiosity are the biggest hurdles in cybersecurity — but they are hurdles that must be cleared in order to ensure an organization remains protected.
Jeff Schmidt is a two-decade veteran of the information security industry and the founder and CEO of JAS Global Advisors LLC.