While many cyber security risks come from the outside – e.g., distributed denial-of-service attacks, phishing websites and ransomware spread through email – a similar number and variety can originate within any given organization. Such dangers are palpable whenever enterprise CIOs, for instance, raise concerns about bring your own device policies, which are initiatives that can greatly benefit end users yet carry the risk of improper use. Say that a BYOD-enabled device was used to share corporate information via channels like personal email, chat or cloud storage. In that case, it could cause at least as many problems (i.e., with keeping tabs on where data is and how it is being handled) as it solved (i.e., with support for popular consumer phones and tablets).
Inside risks: Routine actions and accidents can cause problems for enterprises
Most employees are not actively seeking to cause their companies harm, despite the prospect of “malicious insiders” that is sometimes floated to explain sophisticated data breaches such as the one in late 2014 of Sony Pictures. As far as the risk that these workers create for their organizations, much of it instead centers on simple human error, inconsistent adherence to security policy – often without knowing it – and mistakes related to behaviors, such as password sharing and recycling, that everyone is used to from life outside of work. Some examples of these types of passive and accidental risks include:
- Not using encryption: In recent years, a lot of major websites have enabled HTTPS by default to protect users and better shield companies from surveillance by governments. Facebook, Yahoo and all of Google’s properties now display a padlock in the URL bar, indicating encrypted transmission of data between a computer and a server. Sites with spoofed URLs may still send unencrypted data, however, plus plenty of cookies and tracking mechanisms around the Web may also send plaintext data, prompting the recent creation of a Google Chrome extension that identified such instances.
- Relying on unapproved applications: Shadow IT, the practice of using applications (primarily cloud computing services) without IT’s knowledge or approval is a huge phenomenon. Last year, in a column for ReadWrite, Matt Asay of MongoDB cited numbers from 451 Research showing that shadow IT could be ten times as big as known cloud usage. A decisive majority line-of-business and IT workers use at least some type of unapproved software-as-a-service solution (83 percent and 81 percent respectively, according to Frost & Sullivan), underscoring the scope of the issue.
- Ineffective patch management: According to a recent survey from Sungard Availability Services, half of IT professionals see outdated security patches as a problem. If anything, that level of concern understates the issue, given the ongoing importance of quickly patching software such as Microsoft Internet Explorer that is often exploited. A 2014 Trend Micro TrendLabs report on the issues with Web apps highlighted human error and patch management as stumbling blocks to making Web apps into secure, intuitive tools for companies.
“[P]atch management problems … contribute to the difficulty of keeping even off-the-shelf Web-related servers and databases updated with the latest patches,” observed the Trend Micro report’s authors. “Among these challenges are the need to test emergency patches prior to deployment, the choice to delay patch deployment if the patch proves unstable, or sometimes even the lack of security updates from the vendors themselves.”
Human error, phishing and social media among top contributors to cyber security difficulties
The Trend Micro study also highlighted how Web apps are often highly customized, complicating their standardization across the organization and creating a big opening for human error. While there are many ways that employees can unwittingly put their companies at risk of a breach or cyber attack, human error encompasses many of the possibilities.
An IBM report from last year, “IBM Security Services 2014 Cyber Security Intelligence Index,” compiled data from 1000 of the firm’s clients and discovered that human error was a factor in 95 percent of all those organizations’ reported cyber security incidents for 2013. The most common specific form that such an error took was clicking on a malicious link in a phishing email. Other prevalent issues included using default usernames and passwords, system misconfiguration and, once again, poor patch management.
A 2012 Trend Micro research paper, “Spear-Phishing Email: Most Favored APT Attack Bait,” highlighted the role that seemingly small-scale phishing campaigns can play in setting up targeted attacks. Phishing is an old yet effective tactic, with the ability to fool experienced workers and those without much cyber security training alike. In 2011, security firm RSA was actually the victim of a breach that originated with a phishing email.
What other activities invite cyber criminals’ attention and create potential holes in network security? Social media is an obvious candidate, given its global scale as well as the fact that it accounts for a huge share of all shadow IT and unapproved application usage. Networks such as Facebook and Twitter have their own equivalents of email phishing, such as click-bait posts that are hard for users to resist – if only because they may contain seasonal information or a too good to be true offer – yet contain a malicious site redirect or payload.
The importance of cyber security training in reducing errors and other unwitting risks
The threats posed by phishing, human error and activities such as social media usage are alike in that they can be best addressed through a combination of training and technology. While it may seem like the surest road to better security is solely through procurement of technical solutions, people and process are essential to cyber security strategy, especially considering the prevalence of error and the ability for tactics such as phishing to slip past advanced defenses.
Effective training that covers areas such as authentication, device usage and best practices for the cloud can create a broad base of knowledge for employees to draw upon when confronted by an unfamiliar situation or issue. Minimizing threats from within is more important than ever for corporate cyber security and enterprises should ensure that they are devoting enough time to training and education.