How to Keep A Business Safe: Tips From IBM and Shapeshift.io Cybersecurity Experts
Cybersecurity is about far more than simply having the right software in place. Most breaches occur as a result of human error, with employees given inadequate training and processes to effectively protect their business.
Phishing, waterholing, and tailgating are just a few examples of employees targeted as security weaknesses. We asked the experts how to keep a business safe.
The Human Factor
The financial cost of a security breach can be tremendous. A study by Ponemon Institute estimates that phishing alone could cost an average-sized organisation as much as $3.77 million annually. The cost to employee productivity was found to be severe, too, as the report estimates employees waste an average of 4.16 hours each year due to phishing scams.
The report paints a grim picture: “Drawing on an average of 4.16 hours per employee we calculate 39,736 hours wasted because of phishing. Assuming an average labour rate of $45.8 for non-IT employees (users) we calculate a total productivity loss of $1,819,923 per annum.”
In the Kaspersky Lab's State of Industrial Cybersecurity 2018 survey, nearly half (49%) of businesses said they face the threat of cyberattacks because of employee error.
The human factor is undeniably the weakest link in the cybersecurity chain. Businesses must shift their focus to their employees and provide them with the training they need to combat cyber threats.
Social Engineering Assumes Many Forms
Imagine a computer system as an impenetrable castle, with walls capable of withstanding attack by any cannon. However, if those in charge of the drawbridge lower it, then the enemy will have no problem walking in.
All those strong phrase passwords and two-factor authentications are useless if the people who are in charge are themselves vulnerable. Whether it is customer support agents, IT workers or non-IT staff – anyone could let people with bad intentions have the information they need to do harm.
Just how dangerous is human vulnerability in cybersecurity? Well, it could potentially start a war.
In 2014, Sony Pictures was hacked after a successful phishing attack. North Koreans were reportedly behind the attack, angry about a comedic representation of their leader in the film The Interview. The aftermath saw the US National Security Council involved and led to increased tensions between the nations.
“Humans are the weakest link when it comes to security because we can pick and choose how to behave in each scenario”
Social engineering vulnerabilities can take the shape of phishing, which can be either generalised or targeted at certain individuals. Phishing is not only limited to emails, either – it can also be done through the telephone. Watering hole attacks are another popular technique.
This is where a nefarious actor infects a website known to be regularly visited by the intended target and infecting them through it.
Some vulnerabilities, unfortunately, come about due to human fallibility. Passwords, for example, can often be compromised on a quid pro quo basis, where the attacker will offer something in return for security information.
Vulnerable employees can also be made to use compromised USB sticks and infect systems with malware if they are not properly trained, in an attack known as baiting.
On top of these, physically accessing secure locations by assuming an identity or pretending to be someone in charge is not unheard of either. Tailgating is the simplest form of social engineering that exists.
To get an idea of how big the threat of social engineering attacks is, BDJ spoke with Michael Perklin, Chief Information Security Office of Shapeshift.io. “Humans are the weakest link when it comes to security because we can pick and choose how to behave in each scenario,” Perklin says.
“Computers will always behave in the same way under all conditions which makes them better at enforcing security rules than we are. Most of the large thefts in the crypto space were a result of failing to confirm an assumption: (e.g. the CTO just asked to send this money over there.) Every company today needs to ensure their staff are aware of impersonation and social engineering attacks and to adopt habits to confirm sensitive requests securely.”
Assets Turned to Vulnerabilities
Social-engineer.org claims that 90% of those that they have engaged with will not only give out the spelling of their name but also their email addresses when prompted, while 67% will provide social security numbers, dates of birth, or employee numbers.
Worryingly, they have also had 100% success in breaching physical barriers. BDJ also spoke with Justin Halsall, Developer Advocate and Public Speaker at IBM.
“Employees need to understand that they can be socially engineered to be the business’ biggest vulnerability,” Halsall tells us. “They are the biggest attack vector when it comes to companies and the best hackers are the ones that exploit this.”
Malicious insider attacks are a concern, with up to 90% of organisations feeling vulnerable to such a possibility, according to Insider Threat, a report by CA Technologies, but ‘accidental’ exposure by employees is also a concern.
The report notes that 56% of employees used weak or reused passwords, 44% used unlocked devices, 44% indulged in bad password sharing practices and 32% used unsecured WiFi networks.
“Employees need to understand that they can be socially engineered to be the business’ biggest vulnerability. They are the biggest attack vector”
In order to ensure that employees remain an asset, they need proper tools and training. “The senior leadership of a company must take data security seriously and create a culture of security in order for balance to be achieved,” Perklin says.
With regard to the work they are doing at ShapeShift, Perklin revealed that their system was designed specifically to protect their customers’ data from the beginning and by default.
“Once the system was designed,” he tells us, “employees were told that access to this encrypted customer information would be given out on a need-to-know basis, and select employees were trained in the use of hardware security devices and data handling to ensure that they not only could access the data for their jobs, but keep the data secure while doing so.”
You can read more about how Shapeshift handle their security practices in this blog.
Bad Practices Lead to Bad Outcomes
When employees indulge in bad practices, the outcomes are equally bad. The Insider Threat survey reveals that the most common bad practice was companies providing too many users with excessive access privileges. The second most common bad practice was allowing too many devices to have access to sensitive data.
“The more devices you have that are connected the more opportunities there are for hackers to break in,” Halsall explains.
Connected devices are great for the end users and they provide businesses with information in the form of valuable data, but their presence in the world of work itself brings with it myriad security concerns from a variety of sources.
Take, for example, the use of connected devices in a medical setting. Vulnerabilities could potentially be life-threatening if a hacker could tamper with dosages of medicines, or gain access to valuable private medical information.
However, the threat is not just limited to in-house employees or their devices. Third parties like vendors, contractors and partners could be the source of damage as well, whether it is through the deployment of APIs or vulnerabilities in distributed software.
As an example, the fast-food chain Wendy’s had a credit card data breach through its cash registers, which were being serviced by a third party. That breach impacted 300 locations in 2015.
New Eras Bring New Threats
As we experience a new industrial revolution, the threats that employees and businesses face are only going to diversify and multiply.
“IoT brings a huge attack vector and also allows hackers to monitor when people are home due to snooping on connected lights and heating,” Halsall says. “5G is going to increase the amount of connected devices so that will also increase the amount of opportunities there are for vulnerabilities.”
However, these are not the only concerns. There are driverless cars, which could be affected by people wanting to cause harm to the passengers.
According to Statista, there will be 31 billion IoT devices by 2020 and these range from routers to toasters. Not only do these devices represent a potential vulnerability for the businesses that use them, but they can also be used to overload networks or deny access to computers with important data.
“I do see the rise of quantum computing as a big threat towards public blockchain security”
Beyond the realm of IoT and 5G, there are also issues inherent in the rise of quantum computing. Whether it is credit card security, blockchains, secure web browsing, or cryptocurrencies, all areas will be affected by developments in this field.
“I do see the rise of quantum computing as a big threat towards public blockchain security,” Halsall says. “Quantum computing's uses are currently limited but cracking encryption, hashing and other opportunities that are key to public blockchains is a huge risk. IBM is selling its first 20 qbit quantum computers and it's just a matter of time before these get used to exploit cryptocurrencies.”
People Are the Solution, Not Technology
When it comes to cybersecurity, the focus should be people. Ultimately, they are the ones using the technology.
Creating a security mindset among employees is the need of the hour and training employees to be vigilant is essential.
For Perklin, it all starts with the company’s information security policy. Before we can train the employees on how to be safe, we need to set the ground rules for what is allowed and what is unacceptable at the company.
“An InfoSec policy is like the ‘10+ commandments” of security at your company. E.g. ‘Thou shalt always store passwords in a password database”
“An InfoSec policy is like the ‘10+ commandments” of security at your company,” Perklin says. “E.g. ‘Thou shalt always store passwords in a password database, and never store them anywhere else.’ Then it is a matter of providing employees with the tools and training and observing their behaviour. These tools could be password managers, 2FA hardware tokens, etc.”
‘Sign up for a new account on this website’ - did they use their password manager to generate a secure password and store it? Or did they just retype the same password they use for everything in their personal life? Post-training it is important to reinforce the training so as to avoid bad habits.
As Perklin says, “Following up with the employee one week later, and one month later will identify any gaps and help them adopt secure habits.”
As an example, in order to teach employees the importance of being careful about email and phishing scams, companies can send their own fake phishing emails.
Halsall tells us that emails with attachments that say things like ‘If this was a phishing email we've got you! Stay more vigilant next time!’ can help employees to be on their toes and stay more awake to threats.
Creating good habits like shredding documents and destroying hard drives in a proper manner, for example, can go a long way. Regularly changing passwords and never reusing them is also vital.
Perhaps the most important training that employees can receive is one that is based on the psychology of the social engineering attacks. Employees should be wary of strangers that are overly friendly or those that drop names of bosses or supervisors.
Mandatory meetings to train employees, attended by everyone in the hierarchy of the organisation, are vital. Customer-facing staff should receive special attention.
Missing Cybersecurity Staff A Worry
Just training the workforce is not enough to completely protect businesses. There is also a need for skilled, dedicated professionals that can protect companies from ever-evolving threats.
Unfortunately, there is a huge shortfall in this form of specialised cybersecurity staff.
According to the (ISC)2 Cybersecurity Workforce Study for 2018, 63% of organisations feel they need more cybersecurity staff, while the global skills shortage in this field has reached the level of 2.9 million.
The most extreme shortage is in the Asia Pacific region, where the shortfall is 2.14 million.
The impact of this shortage affects not only a company’s security but the mentality of its employees as well. The satisfaction of existing staff and the broader morale of the company is also at stake.
The only solution is to take a holistic approach to cybersecurity that takes into consideration the needs of customers, employees and businesses.
The need for effective cybersecurity in business was hardly unknown before 2018, but consumer awareness of how they themselves can be affected by major breaches was given a serious boost last year. High-profile data breaches from some internationally renowned industry leaders put online security on the front pages after GDPR brought corporate use of personal data into the public conversation.
Facebook was by far the company most badly hit by data breaches in 2018. Suffering several breaches over the course of the year, one Facebook security weakness saw over 50 billion users compromised. A serious look at the code and data usage of a company that deals with endless reams of personal data has been sanctioned. Another to fall foul of hackers was hotel chain Marriott, which saw records of up to 500 million customers breached. Payment information and addresses were among the data stolen, leading to class-action suits against the chain and regulatory investigations into its security systems. Others like Ticketmaster and British Airways were also subject to breaches, in a year that they will want to move on from swiftly.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]
- How Vulnerable Is the Internet of Things (IoT) to Hackers?
- Blockchain Interoperability Remains a Critical Missing Puzzle Piece
- How to Keep A Business Safe: Tips From IBM and Shapeshift.io Cybersecurity Experts
- China Vs the US: Who Will Win the AI Race?
- AI Applications and “Black Boxes”: How to Make Use of Recent Research on Artificial Neural Networks