What if attacks on corporate information assets depended largely on the behaviour of people within the company?
It is now commonplace to hear tales of colleagues or friends unknowingly clicking malicious links within an e-mail potentially compromising corporate information.
Although technical checks are very important and increasingly frequent, statistics confirm that most cyber attacks are only successful if a human makes a mistake.
The main causes of attacks can be found in elementary behaviour by employees in moments of inattention.
The best way to reduce the chances of people making mistakes is proper training. This is because they are provided with the necessary skills to carry out their tasks in accordance with the security and cybersecurity objectives of the company.
What are the main causes that can put corporate information at risk?
- Use of weak passwords: companies' adoption of more cloud-based technologies requires people to create more passwords. However, people don't always remember everything and don't like having to invent new passwords, with the result that the choice often falls to passwords that are easy to remember. The consequence? People use: the same password to access multiple sites or computer systems, the e-mail address to register for non-company sites or applications, passwords that include the name or birth date of a loved one, a series of numbers such as 12345. All these expedients prevent the password from being forgotten, but also make it an easy target for cybercriminals.
- Weak authentication: for the same reason that people hate creating new passwords, they also tend to avoid multi-factor authentication (MFA). Any additional step, be it clicking on an authentication application or waiting for a code, creates a barrier to adoption.
- Distraction: when cybercriminals carry out social engineering attacks, they specifically focus on exploiting the vulnerabilities of human nature. For instance, most phishing campaigns are successful because they appeal to emotions. They often invoke urgency so that people do not stop to think. In their haste, they act against the interests of the company and their own interests.
- Outdated security: often, malware and ransomware attacks succeed because users do not apply security updates that correct known vulnerabilities through updates called 'patches'. Patches can be problematic and time-consuming, so users and system administrators often wait to install them. Cybercriminals exploit this knowledge to look for vulnerabilities in devices and then use them as part of their ransomware and malware attacks.
All these cases show how cyber attacks are often caused by simple carelessness and distractions within often hectic working days. The human factor therefore plays a key role in determining cyber risk.
Training and awareness undoubtedly become the first weapon to protect the information assets of companies and organisations.
*Source: IBM Cyber Security Intelligence Index