Strategies to protect enterprise networks often discount the human factors in cybersecurity, which leads to cyber attacks and potentially catastrophic outcomes, depending on the system being hacked.
When we think of enterprise-level information systems, we think of a network of all the digital systems and tools that automate the collection, analysis, and communication of information to drive operations and business decisions. This might include the enterprise’s servers, the software, which may be powered by artificial intelligence, and the web of data gathering and sharing devices, which includes computers and smartphones. In addition to these key elements, there is one crucial system component that is often ignored – the people involved. And just like the human involvement in information systems is overlooked, businesses also tend to neglect the human factors in cybersecurity, potentially leading to severe consequences. How? Let’s take a look at a hypothetical scenario:
While on vacation, Jane, a regional sales head for a multi-billion dollar corporation, receives an email on her phone. It’s from Bill, her office’s IT administrator, who she also happens to know well personally. The message begins with an apology for briefly interrupting her vacation, but states that something urgent needs to be done. Bill asks Jane to quickly reply with her log-in credentials for their proprietary CRM application, as there seems to have been some issue that needs to be fixed ASAP!Jane, partially unsuspecting and partially wanting to get back to vacation-mode, types in what’s asked of her and hits ‘Send.’ And then she gets on with her vacation.
A week later, Jane returns to work and is shocked to find out that the company’s CRM database that contained the personal information of thousands of customers had been hacked into and the information leaked. Jane hadn’t noticed that the email she had received, supposedly from Bill, was a phishing attempt. And a successful one at that.
The weakest link
The security of any system is only as strong as its weakest link. When it comes to enterprise network security, the weakest link happens to be the people involved in the system. Although organizational security systems are getting smarter and better with time, but so are organizational security systems. The growing role of Artificial Intelligence and machine learning algorithms in security ensures that organizational data remains protected despite the evolving threats. Combining the existing algorithmic security systems with technologies like blockchain can make security even more secure, at least in a theoretical sense. However, it is important to note that most cyber attacks succeed due to the vulnerability caused by ‘human factors’ in cybersecurity.
Over 90% of successful cyber attacks happen due to phishing, which exploits people’s unawareness and lack of judgment in differentiating between genuine and fraudulent communications. This more than confirms the fact that investing in the smartest security systems cannot guarantee the protection of confidential data. And organizations are in fact investing heavily in cybersecurity, with the global spending on cybersecurity estimated to exceed $1 trillion from 2017 to 2021. In order to completely protect data from illicit access and loss, investing in smarter systems should go hand-in-hand with making people smarter with regards to security. Now, don’t get me wrong. By smarter I don’t mean to question people’s intelligence or their knowledge of digital security.
Being smarter has little to do with technical know-how and more to do with mindfulness.
Smart means aware
Being smart in the context of security means being aware :
- aware of who you receive communications from,
- aware of what links you click on, or which attachments you open,
- aware of the different types of cyber crimes and threats, and of organizational communication, privacy, and security policies.
And the need for smartness does not only apply to devices, software, and the primary users of these devices, but to the organizational pyramid as a whole. This includes the top leadership, that may not necessarily be involved in using the data management systems, but is required to communicate internally using organizational channels. Strengthening data security should take both a top-down and a bottom-up approach to ensure there are minimal loopholes in terms of policy, technology, and people.
Measures for smart(er) security
To have a foolproof, robust security system protecting enterprise-wide networks, organizations should plan and invest not only in the best technology available, but also in making their people more aware of cybersecurity. The following practices can help organizations form a well-rounded threat prevention strategy:
- Training and awareness initiatives: The first step towards cultivating a smart security strategy is ensuring all employees know the importance of cybersecurity and teach them to follow standard protocol while interacting with and using the IT infrastructure. Employees should be made aware of the different ways in which the security of the enterprise information systems can be compromised and the severe implications it can have for the organization and the employees themselves. They should especially be trained in identifying phishing attempts and other cyber attack tactics that exploit the human factors in cybersecurity. This training should aim to achieve actual behavioral change in the user base and must be structured to do so, in addition to just building awareness. Evaluating the effectiveness of such training by doing follow-up testing, such as internally conducted phishing campaigns, will help in improving future results.
- Isolating internal and external communications: Isolating internal communication networks from the external ones to an extent which is functionally feasible will prevent the spread of malware and other infectious elements to critical systems. In addition to infrastructurally isolating internal and external networks, i.e., physically isolating critical systems from external networks, organizations should standardize internal communication protocols that all users must abide by. Organizations should also establish standard communication channels to avoid any confusion and mistakes, such as the opening of infectious links that may lead to security breaches.
- Hacking your own networks: Ethical hackers are programmers who hack into secure networks but without any malicious intent. Organizations can get ethical hackers to hack their networks to identify zero-day vulnerabilities, i.e., the vulnerabilities that were previously unknown to system owners. Identifying new possible threats will allow system owners to fix them before they can be exploited by unknown attackers who are up to no good. The vulnerabilities or loopholes thus identified should be fixed as early as possible.
With the introduction and propagation of the Internet of Things (IoT), which connects every conceivable electronic device, right from your smartphone and smartwatch to the national power grid. With every device that gets added to the IoT network, the risk and the severity of the outcome of a security failure increases. Thus, now is the most ideal time for organizations, both business and otherwise, to improve the technological as well as human factors in cybersecurity.