MENU

INTERVIEW: Are humans the last line of defence when it comes to cybersecurity?

October 9, 2019 • People, Security, Top Stories

Cybercriminals know that it is far easier to access systems by ‘hacking-the-human’ than it is to go through technology. According to security software company Trend Micro, a staggering 91% of successful breaches started with attacks that were focused on the weakest link in the security chain – people.

To take a closer look at this subject, IT News Africa’s Jenna Cook chatted to Anna Collard, MD of Popcorn Training. Here’s what transpired:

What exactly is the ‘hack-the-human’ trend?

The ‘hacking-the-human’ or social engineering trend is based on criminals realising that it is increasingly more difficult to break through sophisticated security technology, whereas it is comparatively simple to trick an unexpecting person to open up a potentially malicious attachment, click on a link or part with sensitive information.

Why are humans the weakest link in the cybersecurity chain?
Humans are often blamed for being the weakest link the cybersecurity chain – and without the right level of awareness and training, this is certainly the case. 88% of the 2018 data breaches reported to the UK Information Commissioner’s Office in 2018 were based on human error.

Whereas technology gets updated and improved upon all the time, our ‘human operating system’, or the way we make decisions and react to our emotions hasn’t been upgraded in thousands of years. We are non-binary, emotionally driven beings who can be manipulated into feeling a low-grade form of fear which in turn will suppress our critical thinking, resulting in poor decision making.

How do cybercriminals successfully infiltrate security through people?
Cybercriminals make use of psychological tricks to literally ‘hack’ our emotions. Their aim is to trick us into revealing information, install malicious software or unknowingly participate in their scams. They use a combination of tactics such as researching and profiling their victims on social media (a technique called pre-texting) and making use of subtle but effective psychology levers to get their targets to do what they want.

The three most widely used levers are fear, flattery and greed. These can be delivered via targeted phishing emails, text messages or in-person and via the phone.

The use of AI technology is making these types of attacks more powerful and automated. For example, AI is able to send targeted messages based on the information learned about the target online and then leave human-sounding voice messages to urge the person to react to the email.

Deep fake technology has also been used in impersonation attacks, for example when copying the voice of a CEO instructing someone to authorize a fraudulent wire transfer or invoice payment.

What are some of the inherent risks and warning signs of a cyberthreat?

The risks of a successful social engineering attacks to organisations can range from small and opportunistic ransomware infections to credential harvesting with the purpose of breaking into the target’s email accounts to launch further phishing attacks; break into the network to steal personal or sensitive data, or plainly committing money transfer fraud, such as in the case of CEO impersonation scams and manipulation of invoices or payment instructions.

Since attacks have become more sophisticated and targeted, it is no longer that easy to spot a phishing email by looking out for spelling mistakes or other obvious red flags.

Our advice to end-users is to watch out for anything that seems slightly out of the ordinary or is triggering an emotion (both positive or negative). Avoid links and attachments you are not 100% certain of. Even if the message looks like it is coming from internal, if there is the slightest doubt about the tone of the message or the type of request, rather verify with the sender out of band.

How can businesses address the ‘Hack the Human’ trend?

The first step is recognising that although technology should prevent the majority of attacks, it is only one layer of the defence and people make up an important pillar of the overall security program.

People-centred security starts with understanding risks related to human’s interaction with technology and data and understanding where psychological triggers may lead to security incidents. Security awareness shouldn’t be seen as an IT problem but should rather be run as a continuous culture change and communications program, combining both education through engaging and bite-sized content and creative messaging as well as inoculating users by running frequent and highly realistic simulated phishing tests.

Why is cultivating a culture of security important for businesses?

When all else fails, humans are the last line of defence. They aim

Effective security awareness programs can shape behaviour to make security alertness second nature and people can become our strongest security assets. Apart from improving the organisation’s risk posture, we owe it to our employees and co-workers to educate them and make them aware of the danger of cyber threats to their personal lives and that of their family.

At what point can a business feel comfortable that it has done enough to protect its data?

Security awareness is a little bit like flossing, it needs to be done ongoingly and ensure that users are kept up to date with the latest threats. Luckily there are ways of automating a lot of the process and simplifying the process.

Comments

comments


Leave a Reply

Your email address will not be published. Required fields are marked *

« »