The security community frequently notes that “people” are the weakest link in the cybersecurity chain. Statistics show—after more than a decade of crippling data and security breaches—that people, or more accurately their gullibility, remain the top cause of breaches. The good news is that doesn’t have to be the case. With the right “hardening,” the weakest link in a chain can become its strongest.
Forging an Unbreakable Chain
Much of a hacker’s success lies in what is called social engineering—literally “engineering” people to do foolish things by tricking them into being too trusting, such as opening emails with infected links (“phishing”). Credential theft, insecure passwords, lost devices, and careless handling of suspicious emails and websites—all of these behaviors and more are primary avenues for data breaches caused by human mistakes.
While threat and intrusion detection systems can identify when a system has been breached and mitigate the damage, the ONLY approach that will prevent breaches spurred by social engineering is teaching staff not to fall for them. Fortunately, over the past decade, a number of proven-effective methods for “hardening” workers against social engineering have been developed.
Putting the Tools in Your Hands
To help organizations protect their firms and corporate assets (intellectual property and data) from breaches, a number of companies now specialize in “eliminating the people factor.” To achieve this goal, they educate and train employees to identify danger and avoid it, i.e.:
- Recognizing a phishing attempt and reacting to it appropriately.
- Knowing when a Wi-Fi network is safe and when it isn’t
- Understanding which materials can safely be stored on a mobile device, and which can’t.
Using a variety of techniques, including simulations of real-world attacks like phishing, personnel not only learn what not to do—they actually experience an intrusion attempt and are graded on how well they handle it. The result is a much more informed, and cautious, staff. (It’s a bit like taking a driving test—the written test shows someone knows what to do; the road tests proves they can actually do it.)
Given that 81 percent of intrusions are not detected by internal security processes*, but rather by outside entities—law enforcement, vendors, partners and others—having informed employees is no longer an option. It’s a critical line in the sand. We strongly recommend that all business owners engage with a security awareness organization and ensure every employee that touches an Internet-connected device knows how to avoid being “engineered.”