In cyber security we often say ‘there is no such thing as a malicious machine’. Trace a cyber attack or information breach back to its source and you won’t find code, you’ll find a person.
In fact, most information breaches are the result of human error and a lack of awareness, and the ‘human problem’ appears to be increasing.
Larry Ponemon, Chairman of the Ponemon Institute.
Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22%
Some recent information breaches handled by the Information Commissioner’s Office (the ICO; the UK’s independent authority set up to uphold information rights in the public interest) help to illustrate the point:
- Ministry of Justice. Details of all 1,182 prisoners at HMP Cardiff were accidentally emailed to the families of three inmates; the ICO issued a £140,000 penalty and referred to a “clear lack of management oversight”.
Cardiff and Vale University Health Board. A consultant psychiatrist was cycling home and lost a bag off the back of their bike which contained sensitive personal data including a mental health act tribunal report relating to a patient.
The ICO commented that “this data breach was entirely avoidable” and specifically referred to the lack training the consultant had received.
- Bank of Scotland. Customers’ account details were repeatedly faxed to wrong recipients in a “four year fax blunder” due to human error inputting the wrong fax numbers; the Bank of Scotland was issued a £75,000 monetary penalty for the breach.
A lot of people will have heard of, experienced, or worried about losing information in scenarios like the examples above, from mistyping an email address to losing papers on the commute home from work.
People will always make mistakes, but policies, procedures and training help to minimise mistakes by making them both much less likely and less damaging.
They do this by helping people to understand:
- The value of information in general, and the particular types of information they really need to take care of (this is why many organisations, including the UK government have an information classification system).
- The cyber threats and what, in particular, they should look out for.
- What is expected of them, in terms of both why and how they should keep information safe.
- What to do in case of an information breach or a cyber attack.
- Where they can turn for more help, advice or support.
Driving awareness of the threats and implications of data loss, and supporting staff to understand what they can do to better protect information, makes a huge difference when it comes to cyber security.
In fact, a survey published by Ernst and Young in October 2013 argues that 80% of the solution to cyber security is non-technical.
Internal data theft
Reducing accidental breaches helps to protect your organisation from the day-to-day trickle of data loss. It also makes internal data theft, far less common than accidental loss but usually more costly, more noticeable.
When staff members are trained in cyber security, they are more equipped to notice strange behaviour from a colleague, from requesting access to files that they don’t need to emailing work to their personal email address or leaving the office with piles of paper.
If we better understand what motivates people to steal data we can put measures in place to make those thefts less likely.
Research by Symantec and Mishcon de Reya indicates that most internal data theft is perpetrated by lone men in their mid-20s to mid-30s, working in technical roles, generally stealing the data by technical means.
However, over a quarter of internal data theft is carried out by stealing hard copies, and most discoveries of internal data theft are made by non-technical staff. This all reinforces the need to have a multi-discipline approach to cyber security and shows why keeping information safe is everybody’s job.
Patterns tend to precede internal data theft: stress is often a motivating factor for malicious insiders, particularly a professional setback (perceived or real), which highlights the need for good morale in an organisation, reinforced by two-way communication and a culture that values staff members (especially at times of organisational change).
Processes and procedures play an important part, too. For example, as 70% of data theft takes place within 30 days of an employee handing in their resignation, robust exit procedures that take account of data theft should be in place.
Insiders, particularly current & former employees, are cited as a common source of security incident, yet many organisations do not have plans for dealing with an insider threat, and those that do are often not very effective.
Of course, discussions about internal data theft and loss should not distract from the cyber attacks that come from outside an organisation.
In fact, external cyber attacks on organisations have increased by 50% in the last year. On top of that, external attackers are turning more and more to ‘human’ methods to extract information from an organisation, from social engineering to phishing attacks, which have grown 87% in the last year.
Increasingly busy lives, and the blurring of home and work life, also puts information at risk, as the 2013 Norton Report (of 13,022 online adults) shows:
- 49% of respondents use their personal devices for work.
- 30% of parents using mobile devices for work admit to letting their children use their devices (and as children generally use the internet to play games, use social networks, watch videos and engage in other risky behaviour online, this puts work devices at greater risk).
- One quarter of file storage users say they use the same online file storage account for both work and personal documents.
- 90% of PC users delete suspicious emails from people they don’t know, whereas only 56% of mobile users do.
The 2013 Norton Report also addresses the increasing risks posed by social networking. One finding of the report is that 31% of social media users connect with people they don’t know, the dangers of which were highlighted recently when a security exercise carried out on a US Government Agency hit the headlines.
Two hackers staged a cyber attack on a US Government Agency by setting up a Linkedin and Facebook profile posing as a young woman, and convinced officials to click a corrupted e-card that obtained passwords to sensitive documents.
Within the first 15 hours, the fake profile had made 60 Facebook connections and 55 LinkedIn connections with employees from the targeted agency and its sub-contractors and within one week the hackers had achieved their aim of infiltrating the agency.
This success of this exercise demonstrates the ease with which attackers can use social networks to gain access to people and their information.
A multifaceted approach to a complex problem
Cyber security is about trying to govern where humans and machines meet.
In too many organisations, however, it is still seen as something for IT to tackle alone, but all of the technical solutions that money can buy will not protect an organisation from human error, malicious insiders and external attacks.
What do help to protect organisations are technical solutions implemented as one part of an organisational approach that depends on understanding of the value of information, and covers policies, procedures and training.
As MI5 Director General Andrew Parker commented at the recent Intelligence and Security Committee:
it’s tempting to think that security relating to an IT issue must have an IT solution, and of course that’s part of it… but those [IT solutions] sit within the whole range of security arrangements that we have – physical security of our facilities, but most importantly the personnel security that we apply to the vetting that our people have… the way they’re managed, and the way all these measures together make it extremely difficult and extremely unlikely to have… breaches
To take care of information, you must put people at the centre of your approach to cyber security.