Even the U.S. National Institute of Standards and Technology (NIST) has officially branded it a major risk to consumers and organisations alike. But now we know our attempts to control user behaviour are backfiring and leading them to make even more risky decisions, what’s to be done? Better education and awareness-raising certainly has a place, but ultimately, we must realise that humans will always make mistakes.
So, let’s stop trying to make employees paranoid and expecting them to act like machines and instead look at how we can put in place measures that will protect our networks and data; no matter who’s sitting in front of the screen and what mistakes they make.
End-users under fire: the blame for breaches is laid at their door
The cyber-fatigue that NIST believes most of us experience in one form or another is born out of an online world in which the user is increasingly bombarded with alerts, forced to remember countless passwords, and feels exhausted having to be constantly on guard against a never-ending barrage of threats. This resignation and loss of control can lead many to behave impulsively, ignore best practice advice and choose the easiest option available to them, which is usually not the most secure.
In the workplace, this becomes a major challenge considering the range and volume of threats facing organisations today. Staff should be the first line of defence, but too often they are the weakest link. It takes just one click of a mouse by one member of staff to accidentally open a malware-laden attachment or follow a malicious link, and there are plenty of opportunities to do so these days. This is a much bigger problem than you’d expect; Verizon’s DBIR 2016 revealed that nearly a third (30%) of phishing emails get opened; and 12% of users go on to click on the attachment or link.
Black Hats know to target the most vulnerable – and they do
Some 18 million malware samples were discovered in Q3 alone – that’s 200,000 each day, according to some estimates. Information theft and botnet-related compromises remain prime end goals. But many of these samples will also be ransomware – a cyber plague now reaching pandemic proportions. Separate Freedom of Information (FoI) requests have revealed that six out of 10 British universities, and almost half of all NHS trusts have been infected. Just a few weeks ago, North Lincolnshire and Goole NHS Foundation Trust was forced to cancel operations and transfer high risk patients after being forced to take IT systems offline for several days.
In short, the threat from financially motivated cybercriminals, state-sponsored operatives and even publicity-seeking hacktivists has become overwhelming. And with over 16,000 software bugs spotted in close to 2,500 applications last year, there’s no shortage of vulnerabilities for them to probe. However, while the original source of a threat is often external, it’s insider carelessness and security fatigue that black hats often take advantage of to compromise systems and steal data.
The impact on the organisation can be catastrophic. With the European General Data Protection Regulation (GDPR) set to levy fines of up to €20 million or 4% of global annual turnover, this is now an issue no board can afford to ignore. Aside from the fines come the costs associated with remediation and clean-up of an infection, potential service outages, lost customers and legal fees. TalkTalk admitted earlier this year that costs related to a 2015 breach could hit £80 million.
Stop shaming end users; provide security that lets them get back to work
Given the severity of the consequences we’re now seeing, there’s a risk that the constant rhetoric around employees inadvertently causing security breaches could cause paranoia that starts to affect workforce productivity. Ultimately, if people are too scared to do their jobs for fear of what they might unwittingly unleash, the business will suffer.
So what’s the answer? Education programs could certainly be improved, by aligning them to good working practices and ensuring a “cyber-savvy” culture permeates from the top down throughout the organisation. But this is not easy to achieve. That’s why it must be backed up by the right fail-safes.
We need to understand that users will always make mistakes and attacks in any case have become increasingly difficult to spot. Targeted spear phishing and APT-style campaigns in particular would trick all but the most eagle-eyed employee. You can’t just stop your marketing team from using Twitter, or ban HR from opening CV attachments. That’s a sure-fire way to harm productivity, add to your users’ security fatigue, and introduce the unwanted risk of Shadow IT.
CISOs therefore need to look at where the latest technologies can help to complement the people and process improvements they are making. Huge leaps have been made in the use of micro-virtualisation techniques in security, which can help to reduce the organisation’s attack surface. By running every workload in its own isolated environment, users are free to make mistakes and behave insecurely without fear of the consequences. It doesn’t matter if they get infected with malware; so just let them click and let it run.
Why so cavalier? Because every time a malicious piece of code is encountered, it is fully contained on the micro-VM – unable to spread or cause any damage. When the app is closed, the VM disappears, terminating the malware. No remediation is needed, there’s zero dwell time, and emergency patching becomes a thing of the past – freeing up stretched IT teams to concentrate on more important strategic tasks.
That’s good news all round, because it means you’re no longer expecting your users to work as efficiently as a computer to spot and avoid danger. Allowing end-users the freedom to click without fear of the consequences fosters speed, innovation and learning. This in turn is likely to reduce security fatigue: creating a win-win for everyone concerned.