The Human Component of Cyber Security



Similar documents
THE HUMAN COMPONENT OF CYBER SECURITY

CYBER SECURITY Audit, Test & Compliance

Small businesses: What you need to know about cyber security

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Small businesses: What you need to know about cyber security

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

A practical guide to IT security

Resilience and Cyber Essentials

Cyber security Building confidence in your digital future

National Cyber Security Month 2015: Daily Security Awareness Tips

What is Penetration Testing?

A Cyber Security Integrator s perspective and approach

ITAR Compliance Best Practices Guide

How-To Guide: Cyber Security. Content Provided by

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

CYBER SECURITY, A GROWING CIO PRIORITY

Malware & Botnets. Botnets

Accessing and sending data securely across security domains

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Information Technology Security Review April 16, 2012

Nine Steps to Smart Security for Small Businesses

Cyber Security for audit committees

SPEAR PHISHING UNDERSTANDING THE THREAT

AB 1149 Compliance: Data Security Best Practices

Cybersecurity. Are you prepared?

Mitigating and managing cyber risk: ten issues to consider

Keynote. Professor Russ Davis Chairperson IC4MF & Work Shop Coordinator for Coordinator for Technology, Innovation and Exploitation.

C-SAVE. Scenario #1 Jake and the Bad Virus. The two major C3 concepts this scenario illustrates are:

Data Access Request Service

Protecting Your Organisation from Targeted Cyber Intrusion

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

How to Justify Your Security Assessment Budget

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Cyber Security - What Would a Breach Really Mean for your Business?

Top five strategies for combating modern threats Is anti-virus dead?

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Cyber security Building confidence in your digital future

Working Practices for Protecting Electronic Information

So the security measures you put in place should seek to ensure that:

A GOOD PRACTICE GUIDE FOR EMPLOYERS

Guidance on data security breach management

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

CYBER SECURITY TRAINING SAFE AND SECURE

This factsheet is for: Senior management of small firms that handle, store or dispose of customers personal data in the course of their business.

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Connect Smart for Business SME TOOLKIT

Security Practices for Online Collaboration and Social Media

Assessing the strength of your security operating model

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Your security is our priority

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

Guide to Penetration Testing

IRIS Report Commercial Espionage: The Threat from Chinese Cyber Attacks Executive Summary


THALES. corn

VeilMail Penetration Test Executive Summary PRESENTED TO: GREG ROAKE, CEO.TURNER TECHNOLOGIES LTD - VEILMAIL STEVE BYRNE, DIRECTOR.

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Perspectives on Cybersecurity in Healthcare June 2015

PS177 Remote Working Policy

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Common Cyber Threats. Common cyber threats include:

INFORMATION SECURITY FOR YOUR AGENCY

developing your potential Cyber Security Training

Beyond the Hype: Advanced Persistent Threats

A Decision Maker s Guide to Securing an IT Infrastructure

BT Assure Threat Intelligence

SIMULATED ATTACKS. Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru MEASURE ASSESS

Unit 3 Cyber security

CGI Cyber Risk Advisory and Management Services for Insurers

Information Security Code of Conduct

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

Protect yourself online

Guidance on data security breach management

I ve been breached! Now what?

Introduction to Computer Security

SECURITY POLICY REMOTE WORKING

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

Level 3 Cambridge Technical in IT 05839/ 05840/ 05841/ Unit 3 Cyber security. Date Morning/Afternoon Time Allowed: 1 hour

Transcription:

www.thalescyberassurance.com In this white paper Humans, their preference to minimise their own inconvenience, their predictability, apathy and general naivety about the potential impacts of their actions, are the weakest link in cyber security. This white paper from Thales discusses the potential impact of this, and what organisations can do to mitigate the related risks. White Paper The Human Component of Cyber Security November 2013

Humans, their preference to minimise their own inconvenience, their predictability, apathy and general naivety about the potential impacts of their actions, are the weakest link in cyber security. The cyber threat is pervasive, and its potential ramifications highly significant. The systems of our clients contain valuable information: intellectual property, bids, pricing, intelligence and personnel records. A compromise to the integrity of this information, or its hosting system, could result in a loss of investor confidence and, consequently, share price competitiveness, accreditation, business advantage and in some cases even life. Foreign intelligence services, major criminal organisations and hactivists all want access to confidential information for political, financial or personal gain. Traditional cyber protection tools, including firewalls, anti-virus and encryption systems all use technology to counter the threat of, and to detect, unauthorised access to protected information. Yet a firm s system users (employees, contractors, suppliers and customers) all already have varying degrees of access to this information. They are a known weak link, ripe to be exploited. Aiding would-be hackers in preparing for targeted Spear Phishing attacks is the fact that many employees openly advertise their employment and role within a given company though sites such as LinkedIn. System Administrators and Personal Assistants are favoured targets due to their elevated permissions and access to the accounts of multiple key leadership personnel within a firm. For more information on how Social Media can be exploited by cyber attackers, and how individuals and organisations can mitigate this, see Thales UK s The Perils of Social Media white paper series, available to download on the Thales UK website. 1 Humans, their preference to minimise their own inconvenience, their predictability, apathy and general naivety about the potential impacts of their actions, are the weakest link in cyber security. Once the attacker knows who to target they can start to gather other useful security validation information, date of birth, mother s maiden name etc can normally be harvested from Facebook and other social networking sites. Other specific information can be obtained though phishing emails and phone calls (phone numbers and email addresses are easy to find once you have a name). Not all employees are so careless with their information but enough are and with over 204 million emails being sent every minute and 20,000 new sources of malware detected every day, it only takes a crack in the door to let the hackers in For most systems, access is controlled by means of a username and password. Most usernames are payroll numbers, email addresses or parts thereof and not hard for the hacker to obtain. The passwords themselves are not much harder as 75% of people use the same password for multiple accounts (both at work and home). 2 Through recent bulk releases of hacked passwords it has been demonstrated that: 7% of people use a password from the top 100 most common; 91% of people use a password from the top 1000 most common; and alarmingly 99.8% of people use a password from the top 10,000 most common. 3 1. http://www.techspot.com/news/52011-one-minute-on-the-internet-640tb-data-transferred-100k-tweets-204-million-e-mails-sent.html; http://www.forbes.com/2009/12/22/security-cybercriminals-malware-technology-cio-network-dunlap.html 2. http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-social-networking-and-email 3. http://xato.net/passwords/more-top-worst-passwords/ The Human Component of Cyber Security - November 2013 2

For more information on password vulnerabilities and how to implement a sound password policy, download our Secure Password Policy information sheet from the Thales UK website. Such lists are freely available online and the software exists to run many thousands of password attempts per minute from a low spec PC. Remember, not all employees are caught up in these statistics, but enough are. It is therefore no surprise that of the 93% of large organisations that suffered major security breaches in the past 12 months, 82% of these breaches were found to be related to staff. 4 Think of it like this; an employee that: Works on a private ipad or home PC and then emails, or uses a USB device, to transfer files to a work computer; Charges their smart phone / camera from their work computer (these are USB devices!); or Is open about their employment and projects on social media; is taking the same risks as someone that leaves an expensive unlocked car with a bag full of cash on the passenger seat in bad part of town at night it is not a question of if, it is a question of when something is going to go missing. It is no mistake that SANS, the global authority on cyber security, in their Top 20 Critical Controls for effective cyber defence, rate staff training as number 9. 5 As cyber security professionals, the threat and risks are clear to us, but across a typical organisation interest, knowledge and skill levels vary between extremes. For many organisations, as part of their first steps to improving their cyber posture, a basic programme of cyber awareness training is initiated to highlight basic risks. Unfortunately, for many this is where it stops, and Cyber Training falls and fails along with other mandatory compliance driven training packages such as Health and Safety and Bribery and Corruption. Simply forcing your employees to endure a patronising online e-learning course once a year will not drive a fundamental change to the required behavioural paradigm. 82% of these breaches were found to be related to staff So, if the risk is so clear and universal, why has a fix not been found? Unlike a firewall or antivirus, a cyber savvy workforce isn t something an organisation can just order from a supplier. Achieving a tangible improvement in a firm s cyber security culture is about changing entrenched attitudes and habits and it requires a bespoke approach sensitive to the people, personalities, history and quirks that have created the culture that needs to be changed. 4. UK Cyber Security Strategy https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cybersecurity-strategy-final.pdf 5. http://www.sans.org/critical-security-controls/control.php?id=9 The Human Component of Cyber Security - November 2013 3

Changing behaviour is difficult, as people generally don t like being told to change, many take it personally that the way they are currently thinking, acting or doing is somehow wrong. Effective cultural change approaches involve, but certainly are not limited to, training. Other complimentary considerations are: Make it personal If you are lucky your workforce may love your firm, but they love themselves and their own personal data more. As the cyber threat transverses home and work computing, make your campaign about keeping them and their data safe, not just about protecting the bottom line, though you can link this to factors your employees care about such as job security and bonuses. Use real world examples of credit card fraud and identify theft to make it real. Leadership Do what I do, not what I say. Rules are all well and good but if your boss tells you to email a document to his private email account so he can read it in his ipad or you see him (or her) using a USB stick then it must be okay? Leaders need to lead by example. Empowerment Change is something that people do together, not something that is done to them. Involving the workforce in the issues and listening to their ideas around potential solutions gets buy in and increases the likelihood of change acceptance and therefore success. Rewarding / recording behaviours What gets measured gets done, which business unit reported the highest number of suspicious emails? Who won the 50 voucher for being the Cyber Warrior of the Year? Small prizes can drive good behaviour. Managers are typically competitive, so give them a metric to compete against and give it credibility at management meetings. If you have a process for reporting suspicious emails, as a minimum have an automated response that says thank you Punishment Serious errors of judgement require serious responses, HR polices and employee contracts need to be able to respond to I seem to have left an unauthorised unencrypted USB stick containing our entire customer database on a train moments. Staff need to know the potential consequences of cyber negligence. Internal whistle-blowing mechanisms need to be in place to enable employees to challenge things that they see (vital in detecting the threat from within). Subtler approaches could include name and shame for employees duped into opening suspicious material and that didn t report it or temporary internet permission lock out for employees that download inappropriate content or bypass controls. Anticipating and preventing Where temptation is too great or habits too entrenched, it may not be viable to change behaviours and technical controls such as a ban on USB memory sticks may offer the only realistic solution. The Human Component of Cyber Security - November 2013 4

Better processes and tools People are inherently lazy, so make it easier to do good things properly. Instead of you need to fill out a form for an approved memory stick, get it counter signed by 4 people, take it to someone on the 8th floor and wait 6 weeks for approval why not have a stock of approved encrypted sticks available from IT for anyone that asks? Here at Thales we are able to link industry leading cyber expertise with experienced Psychologists and Change Managers. We have been the architects of successful change initiatives within the European Defence Agency, Defence Equipment and Support (DE&S), Dstl, BP, Ministry of Defence and the NHS. This white paper represents the tip of the human factors iceberg. And only one iceberg among many in the cyber security world. For more information on any facet of cyber security that concerns you, please contact us. We are here to help. The Human Component of Cyber Security - November 2013 5

About Thales Whenever critical decisions need to be made, Thales has a role to play. World-class technologies and the combined expertise of 65,000 employees in 56 locally based country operations make Thales a key player in assuring the security of citizens, infrastructure and nations in all the markets we serve aerospace, space, ground transportation, security and defence. Thales is a leading supplier of security technologies to secure your people, places and information. For more than 40 years, Thales has delivered state of the art physical and cyber security solutions to commercial, critical national infrastructure, government and military customers. In all, Thales delivers cyber security projects across 50 countries, with a global network of 1,500 information security specialists working with SME and research partners that provides it with deep expertise and the agility to deliver industryleading solutions across the complete cyber spectrum. Thales believes that Good Cyber is Good Business. Thales will help you refocus your security spend to defend your organisation and prevent significant loss of revenue and reputation. Thales will ensure your competitive advantage is maintained by being able to demonstrate resilient and secure use of cyberspace. Why Thales? Thales is a world leader in providing modular, integrated cyber security solutions to protect your people, places and information: Cyber incident response Audit, assessment and compliance Virtual enterprise and network simulation and testing System integration and assurance Training and skills We are here to help - a Cyber Security partner you can trust: Global network of 1,500 information security specialists, building upon 40 years of experience Extensive domain knowledge of enterprise, defence, transport and energy sectors Trusted to secure 19 of the 20 largest banks and 80% of payment transactions worldwide Contact Us Thales UK Ltd, Mountbatten House, Basing View, Basingstoke RG21 4HJ, UK Tel: +44 (0) 1256 376633 Email: cyber@uk.thalesgroup.com Website: www.thalescyberassurance.com 2013 THALES UK LTD. This document and any data included are the property of Thales UK Ltd. No part of this document may be copied, reproduced, transmitted or utilised in any form or by any means without the prior written permission of Thales UK Limited having first been obtained. Thales has a policy of continuous development and improvement. Consequentially the equipment may vary from the description and specification in this document. This document may not be considered as a contract specification. Graphics do not indicate use or endorsement of the featured equipment or services. The Human Component of Cyber Security - November 2013 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information