We must improve security because the impacts of human error on cybersecurity can be immense, and one small slip-up can have disastrous impacts
One small slip-up or moment of personal irresponsibility can cause havoc for even the most robust organisations.
An incident involving Sellafield nuclear power plant earlier this year served as a reminder of the risks posed by employees’ actions. The large multi-functional nuclear site became the subject of an unsuccessful unfair dismissal case after one of its IT workers downloaded unencrypted classified data onto her personal USB devices before dropping them in a car park as she intended to take them home.
The story has highlighted the need to mitigate intentional or accidental misconduct that could jeopardise the security of government organisations or critical national infrastructure. However, these concerns are not solely related to staff members leaving places of work with physical copies of data.
How can the public sector improve security
While public sector entities spanning education, healthcare, and transport are critical to our society’s successful day-to-day functioning, their significance makes them very attractive targets for malicious actors.
The statistics speak for themselves. According to the Government Cyber Security Strategy: 2022 to 2030 policy paper, four in 10 incidents managed by the National Cyber Security Centre (NCSC) in the year ending August 2021 were aimed at the public sector.
From opening emails that shouldn’t be opened to ignoring security software updates on devices, bad digital habits can equally have serious consequences, providing opportunities which threat actors may capitalise on.
In a governmental context, it’s becoming particularly apparent that adversaries are targeting individuals and endpoints more than networks and systems.
For instance, Lookout’s 2022 Government Threat Report shows that nearly half of all phishing attacks aimed at government personnel in 2021 were designed to steal employees’ credentials – up from 30% in 2020.
This isn’t coincidence. The simple fact of the matter is that attackers know that individuals are a weak link – something that C-level execs are also beginning to recognise.
In a recent survey conducted by Apricorn, well over a third (37%) of IT leaders revealed that they believe their staff are continually, yet unintentionally putting data at risk. Further, one in five (21%) stated that lost or misplaced devices containing sensitive corporate information were also a common issue.
These figures are worrisome. Yes, human error will always, to some extent, be unavoidable, particularly given that social engineering attacks are becoming increasingly intelligent, tailored and convincing. However, the fact that many IT leaders believe their workforces still lack the basic knowledge needed to avoid those simple mistakes capable of cascading into devastating attacks is concerning.
Addressing the weakest link in the cybersecurity chain
Private or public entities alike, employees are often the weakest link in the cybersecurity chain.
Government organisations must not consider themselves an exception
Government organisations must not consider themselves an exception. When employees are left to their own devices, even the best technical measures are likely to fail. Instead, such entities must be proactive and build stronger security cultures with defined policies and responsibilities for all staff members.
This isn’t something that can be achieved overnight. While identifying vulnerabilities and strategising potential action points to minimise the risks they pose is one part of the puzzle, ensuring that any rules which are subsequently implemented are actually followed is a whole different kettle of fish.
If employees don’t grasp the potential security implications of specific actions and behaviours, they will unknowingly or unwillingly fail to follow advice and guidance. Organisations must therefore ensure that training and education programmes to maximise awareness among the workforce are prioritised.
This isn’t the only way of bridging the gap between employee-induced attacks and better protection, however. Equally, government entities can adopt policies designed to restrict employee access, limiting every individual’s access to only those software solutions and systems they need to carry out their work.
Known as the principle of least privilege, this is a fundamental aspect of NCSC-advocated zero-trust strategies designed to protect organisations effectively against many common threats. The idea is to eliminate that implicit trust which can fundamentally undermine any effective security setups should a threat actor (either internal or external) have access to their target network. Instead of assuming everything behind a corporate firewall is safe, the zero trust model demands that every user request is verified to mitigate risky actions or malicious behaviours.
Building on zero trust and the principle of least privilege, firms should also reduce the opportunities for individuals to either intentionally or accidentally cause a breach by ensuring that all staff members are only allowed to use managed devices to access corporate networks.
The threat of unmanaged devices pose in limiting visibility, undermining security protocols and expanding an organisation’s attack surface is a key reason why adversaries are focusing many of their efforts on targeting individuals and endpoints. Simply put, they provide threat actors with clear and accessible avenues they may use to gain a foothold on a network easily.
The importance of encryption and backups to improve security
Many layers may be added to the security stack to help minimise the risks stemming from staff members, encryption being another that government entities should also consider.
The importance of mandating procedures for encrypting all data across all devices as standard is evident in the case of the Sellafield nuclear plant incident – where classified information hadn’t been encrypted on the dropped USB devices, the next person to pick them up could easily access it and potentially leak it into the public domain.
To prevent this from happening, organisations must apply encryption and endpoint control solutions to all devices, be it a USB stick, laptop, mobile phone or other. If these are then lost, critical company information will remain secure.
Finally, we have backups – a piece of the security puzzle centred around recovery that is just as important as prevention. Here, offline solutions should be used in tandem with a centralised cloud backup plan. With this approach, information can always be recovered if centralised networks are compromised, serving to help critical national services and infrastructure get back up and running quickly and effectively.
Ultimately, the key is to use a combination of methods to both enhance employee awareness and rein in employee responsibility when it comes to security, minimising the opportunities for individual actions to result in catastrophic events.
By following these steps, employees will not only be less likely and able to put highly sensitive data at risk, either unknowingly or accidentally. Equally, even if they do, then cyber attackers won’t be able to access or leverage it to their advantage with ease.
Improve security for everyone
To this point, we’ve been focusing on ways to eliminate individual-induced security risks that benefit the organisation. However, it is important to recognise that any security policies also need to work for the individual if they are to be successful.
Processes such as restricting access and encrypting data must be done in a way that doesn’t impede employee productivity or heighten operational frustrations.
In a 2022 survey, Apricorn found that the most common reasons remote security policies weren’t followed were employees not prioritising security practices despite being informed about them (51%) and using personal devices for working purposes (40%).
These statistics are telling. Suppose staff members find security measures complicated, confusing or irritating to follow. In that case, they will try to find ways to bypass vital protocols wherever possible, working actively against, rather than with, security strategies.
Today, this is more important than ever before. Between the rise of remote and hybrid working and a heightened focus on improving the employee experience, there is both a greater need for seamless measures and a greater chance that they will be undermined by staff members who are more easily able to avoid the watchful eye of security leaders.
For this reason, policies must be tailored to suit the needs of flexible, hybrid and mobile workers to reduce risks further, ensuring that security works for everyone. If successfully achieved, government entities and public organisations will be well placed to mitigate the increasingly common and aggressive efforts of threat actors in the current environment.
Written by Jon Fielding, Managing Director, EMEA Apricorn