With news articles about hacking and data losses regularly appearing on front pages of newspapers, magazines and websites, cyber security is a topic that everyone is now aware of. But many fail to comprehend the true requirements for maintaining a secure environment.
Technical controls are important, but what’s often overlooked is the human component. While major software vendors can update their software and overcome technical vulnerabilities, what about the human operating system? Can we overcome our own weaknesses and find a world where humans aren’t the weakest link in the chain?
Information security has one primary objective: to protect data from anything that might adversely affect its owner. Returning to the primary objective then, protecting that information shouldn’t be limited only to technical solutions. While information technology (IT) systems are used by employees, their role in preserving robust information security goes far beyond being users.
Within C3IA (a consultancy that is certified by the National Cyber Security Centre), we often work with the model of ‘3 P’s and T’ for security controls - physical, personnel, procedural and technical. A balance of controls in each area should be achieved for good security. Despite this, organisations seem to focus mainly on procedural and technical controls.
The National Cyber Security Centre recognises the vital role that users have to play and so includes ‘user education and awareness’ as one of the ten pillars within its ’10 Steps to Cyber Security’. This best practice guidance suggests security policies, a staff training programme and maintaining user awareness as key recommendations. Why? Because clear evidence suggests that most attacks are initiated by human interaction, therefore, if your staff are suitably trained, educated and aware of threats, they are less likely to trigger them.
The US National Institute for Standards and Technology produced a framework for security which considers five core elements: identify, protect, detect, respond, recover. This begins with the identification of valuable assets and how to protect them (risk management), but also the identification and response to a security breach (incident response).
We can consider human involvement in security from this five-stage model. Specialist training for key staff (such as risk assessments or incident response) may be required, while more generic awareness training may be relevant to all IT users (such as spotting indicators of compromise and reporting it swiftly).
The Cyber Security Breaches Survey 2017 stated that ‘the most common types of breaches are related to staff receiving fraudulent emails’, which accounted for 72 per cent of identified breaches. Other significant breach types reported were malware, social engineering and ransomware. For these threats to materialise, human interaction is often required.
When considering the human element of information security, most of the resource allocation should be applied to the prevention of a breach (identify and protect). Addressing the incident response element (detect, respond, recover) also has a significant role to play and so should not be left out. After all, no one person or system can ever be 100 per cent protected from accidental or deliberate actions, therefore being able to detect an event, respond in a scaled manner and recover to business as usual is critical for any business to survive.
How can we improve?
Although humans are the problem, humans are also the answer. The human operating system needs patching and updating if we want to reduce the risk of a security event.
Only a fifth (20 per cent) of surveyed companies had staff who had attended cyber security training, according to results from the 2017 Cyber Security Breaches Survey, despite it being the main method of improving education and awareness, thus reducing the likelihood and impact of any human-initiated breach.
Training courses remain one of the best ways to educate staff and can be delivered remotely or in person, providing options for all budgets. For those with key security roles, investing in their education is just as important as providing awareness training for general staff. Training courses are the traditional option, but depending on budget, other options exist.
Thanks to the internet, we have a wealth of information at our fingertips. But as Albert Einstein once said, ‘information is not knowledge’. To truly learn, often we must experience things - red teaming is a way to do this.
Red teaming tests physical, personnel, procedural and technical security. Here, a person or team assumes the role of an adversary in a live exercise (or sometimes table top). The red team attempts to overcome your security controls and gain access to data.
As the event is underway, this may trigger real-life controls or responses, which will be observed, captured, analysed and reported. Subsequently the lessons identified can be used to hone strategy or procedures and improve the security posture of the organisation.
The activity of testing, learning and improving should never stop as differing threats evolve each day, and require differing mitigations. Examples within the exercise could include placing USB devices with fake malware on them around the organisation, attempting to enter a site without ID, or running a phishing campaign.
While social engineering is often used during red teaming, by itself it is an audit with a much more limited scope. Social engineering focuses entirely on attempting to bypass security by exploiting the human factor - specifically testing personnel, without directly auditing physical, procedural or technical controls.
Examples of this could include background information gathering from LinkedIn or Facebook (to build a suitable and legitimate sounding pre-text), phone calls attempting to glean information from staff or physical encounters with staff to attempt bypassing physical security.
Social engineers use a wide variety of techniques to exploit well known human vulnerabilities, such as the urge to help or be liked.
When the exercise concludes, giving direct positive feedback and constructive criticism that is specific to your organisation and staff is a very successful method of ensuring lessons are learnt.
Red teaming and social engineering are forms of penetration test, so a clearly defined scope and permission to test must be in place. The fewer staff aware of the test beforehand, the better, as this allows the results to be more realistic.
Poster schemes can offer a cost effective, straightforward method of improving staff awareness. It might help remind them to adhere to a security policy, or may serve to maintain their awareness of certain threats. Poster schemes alone are unlikely to make a significant difference; however, they contribute to the wider security culture that a business should be internally promoting.
Board level support
Having the board of a company engaged in information security is of paramount importance. IT users of all roles and responsibilities are equally susceptible to a cyber-attack and so even at the top of an organisation everyone should be involved in undergoing training.
This also demonstrates to employees that security is being taken seriously. This should be reinforced by board approval of security policies and a security strategy or statement issued by the board.
This engagement at the highest level is the best way to encourage a positive security culture - the phrase of ‘lead by example’ is just as valid when applied to information security.
Although humans are likely to remain the weakest link in the security chain, encompassing security controls that deal with user education and awareness is still crucial. Our vulnerabilities as IT users can be greatly reduced through effective use of training and awareness exercises given that most cyber-attacks target the user.
Our IT users may be our weakest link, but they also have the potential to be our greatest allies across all areas of the ‘identify, protect, detect, respond, recover’ security model.