It has been a mantra for so long that it’s a cliché: Humans are the weakest link in the cybersecurity chain. The best technology in the world can’t protect an organization from an employee (and that includes top management) falling for a well-crafted social media or phishing attack.
Of course, the best security awareness training in the world might help strengthen that link, but according to people like Lance Spitzner, training director for the SANS Securing the Human Program, it’s not happening.
“We have invested a huge amount of effort in the past 15-20 years securing one type of operating system (Windows OS) while investing almost nothing in securing the other operating system (Human OS),” he said.
A point he made with this tongue-in-cheek chart:
So it should come as no surprise that the latest report from the Ponemon Institute, which surveyed 1,000 IT professionals across North America and the UK, finds that a majority – 54% – of those that suffered data breaches said the root cause was “negligent employees.”
In spite of constant calls for better security awareness training, that percentage is up from last year’s 48%. And it could be even worse, since, “almost a third of the companies in this research could not determine the root cause (of the breach),” the report said.
The anecdotal evidence, going back years, supports the statistics. At 2012’s DEF CON, Shane MacDougall won the social engineering “capture the flag” contest by getting a Wal-Mart store manager to give him 75 pieces of information over the phone in 20 minutes.
Wired reporter Mat Honan reported in the same year that, “in the space of one hour, my entire digital life was destroyed,” thanks to his own security lapses (no 2FA!) and the “helpfulness” of Amazon and Apple tech support.
And just this week, the BBC reported on the sacking of a finance director who fell for an order from his “boss” to pay £50,000 to a supplier.
The results of that weakest link are also depressingly familiar. Ponemon reports that:
- Cyber attacks against small and medium-sized businesses (SMBs) increased from 55% to 61% in the past 12 months.
- Ransomware showed a huge spike, from a reported 2% last year to 52% this year, with 79% saying the ransomware got into their systems through phishing/social engineering.
- While strong passwords and biometrics are “an essential part of the security defense … 59% of respondents said they do not have visibility into employees’ password practices …”
- The average cost of attacks rose, from $879,582 to $1,027,053 for damage or theft of IT assets and infrastructure; and from $955,429 to $1,207,965 for disruption to normal operations.
And the reasons why this is so are also familiar. Among them:
- Attackers take advantage of the general tendency of people to want to be helpful.
- People are trained to be compliant with authority figures, hence they are more likely to fall for attackers posing as law enforcement, top management or even HR.
- Phishing continues to improve. In the case of the finance director mentioned above, the email address looked genuine, and since the real boss had posted pictures on social media of his Greek island getaway, it made sense when the fake boss said he didn’t want to be disturbed because he was on holiday.
All of which should be a signal to company leadership that IT clichés like PEBKAC (Problem Exists Between Keyboard and Chair) or “you can’t patch stupid” are getting in the way.
It’s an attitude that sets people like Spitzner off.
“The reason people continue to be the weakest link is that most organizations continue to fail to invest in them,” he told Naked Security. “If you want your awareness program to really be a success, put a FTE in charge of it. Too many programs have minimal support and maybe 15% of someone’s time.”
And in a post this week on the SANS blog, he said that since people “store, process and transfer information,” they are targets just like operating systems, apps and other computing technology.
His blunt assessment: “we the security community have failed to secure them.”
To do that, he said, will require, “mature awareness programs that focus on key behaviors that people can easily exhibit. We have failed to engage people in their own terms that they can easily understand.”
But there is also some ongoing debate about the best way to do that. At last year’s Black Hat, several presenters argued that making employees hyper-vigilant could create paranoia leading to a, “constant state of distrust,” and would interfere with, “how people actually do their jobs.”
But Kevin Mitnick, once known as the “world’s most wanted hacker” and now head of Mitnick Security Consulting, said at the time that regular, even intense, awareness training shouldn’t have a negative effect on morale or productivity.
“That would be like saying wearing a seat belt takes away the enjoyment of driving. Or locking your car makes people drive poorly,” he said. “In the world we live in, security precautions become second nature, and people adapt.”