THE HUMAN COMPONENT OF CYBER SECURITY

Transcription

1 cybersecurity.thalesgroup.com.au People, with their preference to minimise their own inconvenience, their predictability, apathy and general naivety about the potential impacts of their actions, are the weakest link in effective cyber security. This white paper from Thales discusses the potential impact of this, and what organisations can do to mitigate the related risks. THALES AUSTRALIA THE HUMAN COMPONENT OF CYBER SECURITY White paper

2 2_The human component of cybersecurity People, with their preference to minimise their own inconvenience, are the weakest link in cyber security.

3 THALES AUSTRALIA THE HUMAN COMPONENT OF CYBER SECURITY White paper People, by their very nature, are the weakest link in cyber security. Cyber security is fundamentally about making sure that the effort to defeat a security system exceeds the value of its contents. It is human nature to constantly strive to maximise benefits while minimising effort. This means that both consciously and unconsciously, people will always look for short cuts, trying to reduce the extra effort imposed on them by essential cyber security practices. In many cases the everyday operational security of certain businesses does not align with strategic security policies. Due to this gap many security incidents occur from insiders like current or former employees. Some organisations see these insider threats as considerable, infrequent threats. This type of security incident is not necessarily an employee with bad intentions. It could be a well-intended employee doing the work in an insecure manner. Problems are more human than technological. The cyber threat to business is advanced and criminals have much to gain by stealing sensitive information from their targets. Intellectual property, bids, pricing and personal records all fetch a high price on the black market. A compromise to the integrity of this information, or its hosting system, could result in a loss of investor confidence and, consequently, share price competitiveness, accreditation, business advantage and in some cases even life. Foreign intelligence services, major criminal organisations and hactivists all want access to confidential information for political, financial or personal gain. Traditional cyber protection tools, including firewalls, anti-virus and encryption systems all use technology to detect and counter the threat of unauthorised access to protected information. A firm s system users (employees, contractors, suppliers and customers) already have varying degrees of access to this information. They are a known weak link, and easily exploited. For instance, Spear Phishing attacks are used routinely to exploit employees who openly advertise their employment and role within a given company though professional social media sites. System Administrators and Personal Assistants are favoured targets due to their greater access to sensitive areas of a firm s network. GATHERING OF SENSITIVE INFORMATION Once the attacker has identified who to target they start to gather useful security information, like date of birth or mother s maiden name, which is often used for securing functions like password resets. This information can normally be harvested from social networking sites. Other specific information can be obtained through phishing s and phone calls (phone numbers and addresses are easy to find once you have a name). Not all employees have easily accessible information but enough do to make social engineering exploits a serious problem for business. The human component of cybersecurity_3

4 CYBER CRIMINALS CAN DETECT YOUR PASSWORD Access is controlled by means of a username and password for most ICT systems. Most usernames are payroll numbers, addresses or parts thereof and not hard for a cyber criminal to obtain. The passwords themselves are not much harder as 75% of people use the same password for multiple accounts both at work and home. 1 Password lists are freely available online and the software exists to run many thousands of password attempts per minute from a common PC. It is therefore unsurprising that of the 93% of large organisations that suffered major security breaches Through recent bulk releases of hacked passwords it has been demonstrated that: 7% of people use a password from the top 100 most common 91% of people use a password from the top 1000 most common; and alarmingly 99.8% of people use a password from the top 10,000 most common. 2 82% of these breaches were found to be related to employees. in the past 12 months, 82% of these breaches were found to be related to human error. 3 According to SANS top 20, a global research and education organisation in cyber security, critical controls for effective cyber defence, rank employee training as number nine for creating a secure business. 4 As cyber security professionals, the threat and risks are clear to us, but across a typical organisation people s interest, knowledge and skill levels vary greatly. For many organisations, part of the first steps to improving the cyber security posture is implementing a basic education programme concerning cyber awareness, essential for mitigating basic social engineering. Unfortunately, effective training can be difficult to deliver, as your employees complacency needs to be addressed. Simply forcing your workforce to endure an online e-learning course annually will not drive a fundamental change within your organisation. Achieving tangible improvements in cyber security culture requires changing attitudes and habits. A process to maintain that change empowers your workforce with the right knowledge to protect themselves and your organisation. Your employees awareness is critical to the success on your security program UK Cyber Security Strategy _The human component of cybersecurity

5 MAKE SECURITY EVERYONE S RESPONSIBILITY Implementing cyber security and awareness involves all levels within your organisation, from corporate level to engaging each employee. Effective cultural change is complex and requires a multi-dimensional approach. To implement change, your business must incorporate engaging education: MAKE IT PERSONAL Begin with an individual approach. As the cyber threat transverses home and work computing, focus your training on keeping your employee and their data safe. It is not just about protecting the bottom line. Use real world examples of cyber crime and its impacts to keep the audience engaged. LEADERSHIP Create a culture that starts with commitment of your top executives and flows to all employees. Involving C-level executives is an important key to success. EMPOWERMENT Involving your workforce in the issues. Listening to their ideas around potential solutions gets buy in and increases the likelihood of change acceptance, and therefore success. REWARDING/RECORDING BEHAVIOURS What gets measured gets done, so metrics are important to encouraging good behavior. Give the leaders in your business metrics to measure security incidents. If you have a process for reporting suspicious s, as a minimum have an automated response that says Thank you PUNISHMENT Serious errors of judgment require serious responses and your employees need to know the potential consequences of cyber negligence. Internal whistleblowing mechanisms need to be in place to enable your employees to challenge things that they see as vital in detecting the threat from within. ANTICIPATING AND PREVENTING Where temptation is too great or habits too entrenched, it may not be viable to change behaviours. Technical controls such as a ban on USB memory sticks may offer the only realistic solution. BETTER PROCESSES Better processes for cyber security that your employees can follow make it easier to do the right thing. A practical yet thorough control of cyber security processes needs to be put in place. BETTER TOOLS Building an identity management system into a business s security systems, both physical and cyber, will encourage and enforce good cyber security practices in your workforce. A good identity management system will securely tie an employee s identity to the authentication process. This makes the secure management of an employee s communication, access and privileges enforceable. Thales Australia is able to link industry leading cyber expertise with over 20 years of experience in Security and Information Assurance in Australia. At Thales, we also apply strict controls within our organisation which has given us practical experience dealing with the human component of cyber security. This white paper represents the tip of the human factors iceberg - just one among many in the cyber security world. For more information on any facet of cyber security that concerns you, please contact us. We are here to help. THALES CYBER SECURITY Whenever critical decisions need to be made, Thales has a role to play. Thales is a global leader in cyber security products and services. Over 1500 highly qualified cyber security experts handle national security in 50 countries, and critical information systems for over 100 clients. 80% of the largest banks, energy and aerospace organisations around the world rely on security delivered by Thales. With over 40 years of experience in Information Assurance and Security, Thales has an unrivalled understanding of the range of threats that Australian businesses and organisations face. At the heart of what Thales does is the belief that securing people, property and information ensures business continuity and reputation. Thales brings world leading cyber security expertise to Australian businesses. We will ensure your competitive advantage is maintained by being able to demonstrate resilient and secure use of cyberspace for your business. CALL US. GET IT SORTED ALL CYBER cybersecurity.thalesgroup.com.au Thales is here to help. We ll look after you. 17/07/ Thales Australia Limited. THALES AUSTRALIA 7 Murray Rose Avenue, Sydney Olympic Park, NSW 2127, Australia. Tel: 1800 ALL CYBER or cybersecurity@thalesgroup.com.au. Web: cybersecurity.thalesgroup.com.au. Thales Australia Limited ABN