Download Our New Report: QRI Perspective On Vulnerability Management

Staff Security Awareness Is The Basis Of A Secure Business

2nd November 2023

Andy Miles
Staff Security Awareness Is The Basis Of A Secure Business

There are two parts to cybersecurity: people and technology. Neither is adequate without the effective participation of the other. In this blog we’ll look at the role of the user. In the next blog we’ll look at the role of technology.

It is often suggested that the user is cybersecurity’s weakest link — breaches always ultimately stem from something someone has done wrong. This person could be a technologist who leaves a database exposed to the internet, or leaves gaps in the firewall, or leaves cross-site scripting (XSS) input vulnerabilities on a web page. Or it could be a user who is socially engineered into visiting a malicious site and disclosing company log-on credentials.

None of these threats is new; they are known and understood. And yet companies continually fall to them. It becomes easy to blame the user concerned — the technologist who forgot to include authorization and authentication controls on the temporary cloud database, or the end-user who clicked a malicious link. This is the wrong approach. The company is as much at fault as the individual since user failings are a symptom of inadequate corporate security awareness and basic security hygiene.

Depending on the level of awareness, a staff of 50 could be 50 weak links, or 50 human firewalls.

Supporting the end user

The biggest single cause of security breaches is the successful phishing attack that steals an authorized user’s credentials. Credentials are the key to the front door. It doesn’t matter how secure the lock, nor how strong the door, if a criminal has the key, he or she can just walk in.

The breach at Twitter (now known as X’) that led to the compromise of accounts belonging to Biden, Obama, Gates, Bezos, Musk, and other celebrity figures was caused by phished Twitter engineers. Those engineers had open access to user accounts.

It follows that user defence against phishing should be a priority. Awareness training is important but not enough. The arrival of artificial intelligence suggests that phishing attacks will become more compelling and more frequent. In October 2023 a study by IBM found that human-generated traditional phishing attacks are still more successful than AI phishing attacks. In a test, traditional phishing succeeded against 14% of users, while AI-generated phishing emails succeed against 11% of the users. But this won’t last. As AI improves, certainly before the end of 2024, automatically generated AI phishing attacks will be better, faster and many times more common than existing attacks. And they will likely be supported by AI-generated deepfake voice and video.

So, while phishing awareness training is essential, the user must also be supported by additional process and technology. Process could include methods of detecting deepfakes, requiring confirmation from the supposed source, better reporting procedures and more. Technology could include quarantining suspect emails and preventing communication with known or suspect destinations. The purpose is to turn 50 weak points into 50 human firewalls by supporting the user.

Supporting the technologist

The biggest cause of technologist error is time pressure. Companies understandably want more output, faster. That’s a given in business. But companies that demand more output must be ready to provide more support or expect more errors. The need for speed without constraint or controls can be the bane of security.

That support can again come from a combination of process and technology. Process can be procedures designed to eliminate errors and risky short cuts. Technology could include increased use of automation in scripting. (But remember that automation is a tool to be used by, not a solution to, cybersecurity.) The concept of DevSecOps can also be implemented to speed software development without introducing undue risk.

There is a further problem affecting technologists, and especially those in the security team. The non-stop nature of the work, the suddenly alternating high stress and humdrum tedium of cybersecurity can affect the mental health of operatives. The most common effect is known as ‘burnout’. Burnout leads to an inability to focus verging on disinterest. It can be cured but is best prevented. It follows that some form of staff mental health maintenance is an important part of maintaining maximum cybersecurity.

Again, support for the people is support for the security of the company.

Developing a security aware company environment

Human error remains the primary cause of cybersecurity breaches. But human error is inevitable given the complexity, pervasiveness, and pressure of IT and security in the modern business, and the unrelenting and continuous probing of highly organized criminal gangs and persistent individual hackers.

In October 2016, Dr Ian Levy (at the time, technical director of the NCSC and now a distinguished engineer and VP at Amazon) was reported to say, “If you’re told that cyber security attacks are purported by winged ninja cyber monkeys who sit in a foreign country who can compromise your machine just by thinking about it, you’re going to have a fear response.”

The purpose of building a confidently security-aware business is to eliminate that fear; to create a workforce that is neither afraid of nor victim to those winged ninjas. But it’s a complex task that needs a coordinated response covering and integrating many different areas. Dabbling in security awareness is not enough. You can train end users to recognize phishing emails, and you can support the technologists to eliminate lack of authentication on exposed databases – but this will not be effective if you omit training in or insistence on the use of strong passwords. If you allow passwords like ‘qwerty123’, or ‘password’, or ‘abc9876’, you will be breached.

The best way to ensure a complete cyber awareness regime tailored to your own business is to partner with an expert trusted partner for cyber and data security advice and protection that will understand your needs, understand the problems, and design and deliver the necessary training and support for all parts of your company. Security awareness is not a throwaway phrase – it is the basis for operating a secure business.