State of security: Human error and remembering the essentials

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

human errorIt seems that in a sea of complex digital ploys, companies are trying so hard to guard against the next big threat that they have forgotten the basics. From years of extensive experience managing a corporations’ most exclusive content, it is evident that most breaches are smaller in scale and tend to originate from internal sources. This year’s Verizon Data Breach Investigations Report (DBIR) echoes these thoughts as the findings follow a different trajectory from the norm.

2016 security trends: Don’t discount phishing

The DBIR includes findings and analysis of over 3,141 confirmed data breaches and over 96,850 information security incidents, across 82 countries worldwide. This year’s report hit on several focal points, including:

  • 89% of all attacks involved financial or espionage motivations
  • Most attacks exploited known vulnerabilities that have never been patched (despite patches being available for months). In fact, the top 10 known vulnerabilities accounted for 85% of successful exploits
  • 63% of confirmed data breaches involve using weak, default or stolen passwords
  • 30% of phishing messages were opened – up from 23% in last year’s report. Of those, 13% clicked on the deceptive attachment, which caused malware to activate
  • Ransomware attacks increased by 16% over 2015 findings.

From these statistics, it becomes painfully clear that a basic line of defense continues to be sorely lacking in many organizations. Personally, these findings do not come as a surprise since I have often seen even the most sophisticated and high-level organizations and executives within it suffer from fundamental security weaknesses. However, this negligence can no longer be tolerated in today’s market and avoidance can no longer be so common – organizations need to act now so that successful attacks do not continue to follow this upward trending trajectory.

Human error: The truth in corporate security

As a tech professional, I always see so much emphasis placed on latest and greatest. While it’s important to keep up with new methods, it’s also important to remember the other side of the coin – that is the people who implement and operate this technology will continue to contribute an element of risk.

In response to the 2016 report, Verizon’s director of global security services, Bryan Sartin, stated, “You might say our findings boil down to one common theme – the human element. Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now.”

This human element is perhaps the most perplexing to guard against. Corporations rely on human power to function and act as a differentiator for service, yet this same talent raises security concerns that modern technology cannot protect.

There are many vulnerable areas within an organization. Take my industry for example; the Board of Directors is perhaps business’ most exclusive club, which would lead one to assume that they have the highest security guidelines and most powerful technology available. Contrary to that belief, many boards rely on outdated technology and even communicate via unsafe networks. While yesterday’s technology does “fit the bill” and enables its users to perform functions effectively on a familiar network, it does pose a risk as both security standards – and exploit tactics – evolve. As we’ve seen with many boards and executives within organization, these risks can lead to severe security concerns down the line.

Preventative measures

There are plenty of security vendors out there preaching the imperative need to adopt the best and latest security tools. While it is important to guard against the fresh malware that has caused hacks the like of Anthem, The Office of Personnel Management, and the multi-bank breach from Carbanak, about 73% of breaches originate from within the extended enterprise. While most companies are busy protecting itself from external threats, internal threats are most likely to happen and harder to control.

As a fellow CEO, security is consistently top of mind. Knowing that even simple mistakes can results is disastrous consequences; here are key steps to take in protecting the company from the basics:

1. Initiate a thorough internal privacy policy and enforce it, especially for contractors and as employees leave the organization (the highest area of vulnerability)
2. Emphasize to executive and older staff members to adhere to policies, and to lead by example (it is surprising how many executives still have AOL email addresses and use public wi-fi for company meetings)
3. Educate employees about secure networks and devices, and when it is appropriate for use
4. Two or three factor authentication is the new norm, adopt it and uphold it
5. Encrypt, encrypt, encrypt – especially for data transfers across a global workforce
6. Ensure all third party vendors have the latest security features
7. Send frequent refreshers about the most common types of hacking techniques – such as how to identify phishing emails (they are becoming more convincing each year and can come from hacked emails). Put examples onto a central database for reference.

Data security is only set to evolve as business become increasingly global and technology develops. For the best chance at securing the data and other private assets at your company, guard assets not only from the bottom up, but also from the top down. Young and more experienced employees alike have to adapt and think smarter than the attacks coming up next.