IT companies are working frantically to produce technology that is one step ahead of the enemy – and organisations are spending millions in buying it.
Yet one of the most vulnerable points in any organisation is still frequently overlooked: the human.
Security technology is abundant. We have chip and pin for credit card payments, passwords for almost everything, firewalls to protect our data and anti-virus software that updates every day to find new ways to keep out the hackers.
Most large organisations have extensive documents outlining IT security policies and usage rules. Yet few, if any, have worked out how to persuade employees to take these seriously and how to stop people from making mistakes.
Human nature introduces security risk
The first problem is that many IT rules do not take into account key aspects of human nature, such as curiosity and a profound belief that many rules are just silly.
In 2011, Bloomberg carried out an experiment. The company scattered unauthorised USB drives and disks in the car parks of US government agencies and private contractors. Some 60% of workers who found these devices plugged them into their office computers. This percentage rose to 90% when an official logo was printed on the device.
On average, internet users have 25 password-protected applications they manage, but only six (or fewer) unique passwords
Andrew McLean, AppLayer
All of these agencies had policies strictly forbidding the unauthorised introduction of USBs, but the employees plugged them in anyway.
The second problem, which is unquestionably the largest, is simple human error.
The highest-specification security software failed to protect GCHQ from losing 35 laptops in 2010, or to prevent Stella Rimington, the former head of MI5, from mislaying her own data-rich laptop in 2012. The list goes on – government departments, police forces, the health service.
At a more mundane level, how many of us genuinely have the brain power to remember a different password for every subscription we set up? Or even every credit and debit card. On average, internet users have 25 password-protected applications they manage, but only six (or fewer) unique passwords.
The third problem is that cyber criminals are often aware of this human vulnerability and take advantage of it by behaving like any good, old-fashioned con man.
Phishing works. If you email enough people to tell them that they have been the victim of a fraud attack and that they must re-enter their security details at once, one of them is going to believe you. The unfortunate newbie on the IT helpdesk may be intimidated by a cross-sounding “senior manager” into revealing passwords without following the official authorisation procedure, just as the receptionist may be tricked by a convincing “customer” on the phone.
Security is a shared responsibility
We need to take some of the blame. Too often, communication between the IT department and the rest of an organisation is less than perfect. Yes the geeky techie unable to cope with people is a ridiculous stereotype, but there is perhaps a grain of truth in it.
In the IT industry we want to believe that a technical problem will have a technical solution, and we really do not want to have to explain it all to someone who probably will not understand the details anyway.
Download free resources on IT security
- IT security case studies
- Build Your IT Security Business Case
- Fighting the Silent Threat
- Why Complexity Is IT Security's Worst Enemy
- How to Help Your Organisation Deal with Next-Generation Cyber-Attacks
- Protect Against Cyber Threats
- The Cyber Savvy CEO: Getting to grips with today’s growing cyber-threats
The rest of the organisation would just like the IT department to sort it all out so that it works with as little hassle as possible.
This gap has to close.
A survey published in April of this year on behalf of the department of Business, Innovation and Skills revealed that in spite of the fact that 36% of the worst breaches of information security in business are due to inadvertent human error, 42% of large organisations do not provide any ongoing security awareness training for their staff. Without this, it is hopeless to believe that employees will grasp the importance of adhering to inconvenient procedures or creating unmemorable passwords.
People are at the heart of any security policy. They have to know what the real risks are, what the consequences might be, and what sensible precautions they should take to minimise them. They also need to understand the limitations of IT.
This is not just the responsibility of the IT department – it is down to the senior management team to ensure that everyone, from the cleaner to the marketing director, is properly briefed, and that security procedures are proportionate and realistic.
There has to be a balance between the IT department’s desire for an inviolable password policy and the reality of making it work in practice. The term “social engineering” is sometimes used by the industry in this context, but it is really much simpler than that. Just talk to the users.
Andrew McLean is the chief executive officer of security firm AppLayer.
This was first published in October 2013