Human error: the weakest security link

Cybercriminals are experts at creating confusion in even the most cyber-savvy professionals, and many attacks rely on human error to succeed. According to the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Report for July to December 2021, human error accounted for 41% of all data breaches, only second to malicious or criminal attacks. Therefore, it’s critical for businesses to support integrated and ongoing security awareness training that continues to educate end users on how to identify and combat cyberthreats, as well as best practices for staying cyber-savvy.

Jon McGettigan, regional director ANZ and the Pacific Islands at Fortinet, says training is key to avoiding damage from increasingly sophisticated attacks.

“Phishing emails are commonly used by cybercriminals to gain access to company networks, and these emails are extremely convincing even to employees who are aware of this type of attack. It’s important for organisations to focus on training their staff members to an even higher degree to help them identify and avoid the increasingly sophisticated cyber attacks that are being launched with the specific intention to circumvent cybersecurity tools through human error.”

It takes a consistent, comprehensive, and sustained training effort to ensure that all team members, regardless of their role, can identify potential risks and avoid falling victim. The Fortinet 2022 Networking and Cybersecurity Adoption Index found 63% of organisations provide training for employees and 58% of staff consider themselves very well trained, suggesting room for improvement.

“This training should occur regularly because of the ever-changing nature of the threat landscape, with threats evolving and changing constantly. The training should also cover a broad range of topics to better equip staff to defend themselves and their organisations against these threats,” McGettigan said.

There are 12 critical areas of concern that end user security awareness training should cover:

1. Phishing attacks: Phishing attacks often involve an employee receiving an email that appears to come from a reputable source tricking them to click a link that will download malware. Effective phishing training will teach employees how to recognise and report suspected phishing attempts and the best practices to avoid falling for one.
    
2. Ransomware: Ransomware occurs when attackers encrypt an organisation’s data, making it inaccessible unless the organisation pays a ransom. Paying the ransom provides no guarantee that the files will be decrypted, nor does it ensure that the attackers won’t release confidential files to the public, both of which could significantly damage the organisation. Recovering from a ransomware incident is costly, both from a reputational and financial viewpoint. The best way to protect against ransomware is to give employees the tools to spot and flag suspicious behaviour as well as educate them on the risks of paying the ransom.
    
3. Social engineering: Cybercriminals use psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering training teaches employees how to defend against sophisticated phishing attacks with tools and techniques to recognise and combat them.
    
4. Social media use: While many organisations do not consider social media to be a threat, it can lead to a security breakdown without proper policies in place. For example, malicious actors can monitor a staff member’s social media behaviour to learn inside information that lets them create more effective social engineering campaigns. Knowing the dos and don’ts of social media can help employees avoid leaked passwords, brand impersonation, and various phishing scams, for example.
    
5. Internet and email use: Email is the primary weapon for spreading ransomware via phishing emails that trick recipients into opening malicious links or attachments; this is sometimes known as business email compromise. Training will equip employees with the tools to recognise and prevent an incoming cyber attack.
    
6. Mobile device security: Mobile devices are a leading cause of data breaches; however, companies still fail to properly train employees on secure device use. Cybersecurity awareness training teaches employees about device safety including the importance of passcode protection and enabling data encryption.
    
7. Removable media and devices: Cybercriminals leverage removable media and devices as an initial attack vector in operational technology (OT) environments. It is important for employees to understand how to manage the risk of removable media such as USB drives and the importance of protecting the data on these devices.
    
8. Passwords and authentication: Login credentials present a significant risk to users’ sensitive information. Employees need to understand the importance of using strong login credentials to protect information from falling into the wrong hands.
    
9. Physical security: To combat data theft, physical objects that contain sensitive information must be protected. Physical security prepares employees to recognise threats that leave networks vulnerable to attacks and how to mitigate them with physical and digital policies.
    
10. Work from anywhere (WFA): In the rush to set up remote work environments, businesses faced newly exposed or vulnerable devices and networks. WFA training can help employees working outside of the office to avoid falling prey to phishing attacks, understand how to keep data secure when outside the corporate firewall, and adhere to cybersecurity best practices.
     
11. Public Wi-Fi: Employees who work in places such as cafes, libraries, and public transport may need extra training on how to safely use public Wi-Fi services. Training will guide employees on the inherent risks of using public networks and how to identify a potential scam.
     
12. Cloud security: As businesses flock to the cloud, the risk of large-scale hacks increases. According to Gartner, through 2025, 99% of all cloud security incidents will result from human error, emphasising the importance of guiding employees through the secure use of cloud-based applications.

“Employees are high-value targets for threat actors; however, they’re also the best defence against cyber attacks. By implementing an effective end-user security awareness program, organisations can promote a security-compliant culture with increased user awareness to stop breaches and protect data while also freeing up IT resources,” McGettigan said.

Image credit: iStock.com/fizkes