Human cyber risk: The first line of defence
Patricia Cullen, Head of Financial Lines, AIG Ireland examines the human factor in relation to cyber vulnerabilities, considering the different scenarios that are exploited by hackers and fraudsters
As the cyber threat landscape grows and evolves, the most resilient organisations will be those that tackle the threat on both a technological and behavioural level.
Research about cyber risk often refers to human error as a major driver of cyber incidents and the financial losses arising from them – accounting for 95% of all breaches.
‘Human error’ implies that people are to blame for cyber breaches. In reality however inadequate security cultures facilitate people-centred attacks.
It is time to take a new approach to addressing the human side of cyber risk, by identifying and addressing the underlying root cause: human behaviour. Examining the ‘human factor’ in cyber risk rather than the ‘human error’. It is an approach which recognises all the nuances of what is primarily a sentient threat with recommendations and solutions, but without stigmatising the user as the culprit.
Here we explore the human factor in relation to cyber vulnerabilities, considering different scenarios in which end users and infrastructure are exploited by hackers and fraudsters. We also consider the different types of human vulnerabilities and how they might be reduced through better awareness and training and a more robust IT infrastructure.
What is the cyber human factor?
The human factor has less to do with actual error and more to do with inadequate security cultures and the exploitation of human behaviour and goodwill. By better understanding ways in which people operate in the workplace, as well as how malicious actors set out to exploit classic human traits, it is possible to identify and address areas of human fallibility.
Social engineering and business email compromise (BEC)
Social engineering is the art of tricking, seducing or scaring/blackmailing an individual into giving away personal or corporate information or taking action, such as authorising a payment.
Perpetrators of BEC often target individuals responsible for sending payments, including company CFOs. Through social engineering, they use psychological manipulation to encourage users into providing information or making a financial transaction.
According to the 2019 AIG EMEA Cyber Claims Intelligence Report, BEC has overtaken ransomware and data breach by hackers as the dominant driver of cyber insurance claims.
Home working/quarantine stresses
Around the world, businesses are faced with the growing reality of home working amid restrictions imposed by the Covid-19 pandemic. As they enact emergency business continuity plans, they and their staff are highly exposed to cyber threats and exploitation by malicious actors.
Employees doing their best in a difficult situation are often forced to fall back on personal devices that are less secure at a time when increased stress levels potentially make them easier to exploit.
Personal devices are unlikely to have the same protections as those in the workplace, or the same capacity to monitor activity. Firms therefore need to ensure they maintain high standards of IT security and help their employees ensure personal devices are secure.
Automatic and unconscious behaviours
Numerous softer factors, such as the natural desire to be helpful, come into play when it comes to end user risks. In many ways, cybercrime is an evolution of more traditional crimes, such as extortion, blackmail and fraud. Although the scale of the activity has grown, the same sort of techniques are used to defraud and manipulate.
From a psychological perspective, engaging in compassionate actions activates the parts of the brain associated with the reward system, with positive feelings then reinforcing altruistic behaviours. It is not just about people making mistakes, as is implied by the label ‘human error’. While large and sophisticated companies spend significant resources on developing technological barriers to cyber threats, are they doing enough from a human behavioural perspective?
Training and awareness is growing. However, people are still clicking on links they should not, particularly as phishing emails become more convincing.
Protecting people from themselves
Addressing the cyber human factor is an essential part of an organisation’s overall approach to putting in place a robust cybersecurity framework. Employers need to consider the psychological levers that cybercriminals pull when they use human behaviours to trick employees into clicking on links and giving away passwords. By understanding how these traits are exploited, it is possible to forewarn staff and implement security protocols.
The onus is therefore on employers to ensure end-users have the knowledge and skills they need to keep themselves and their businesses secure.
Managing internal threats, such as training staff to identify phishing emails, to improve password hygiene and protect the network against unsecured devices takes time and resources. However by putting users at the heart of an organisation’s cyber security strategy and gaining buy-in and participation from the various lines of business, cyber security departments can free up time to focus on managing external threats and take a more strategic approach to their organisation’s overall cyber security.
There is a recognition that the IT systems of even the most sophisticated organisations can be breached. Too often, it is not their technology that fails them, but the frameworks and systems (or lack thereof) that have been put in place to protect their people.
Humans naturally want to work at speed – to please their colleagues and to get things done. This leads to a tendency to overlook security processes, particularly those measures that appear to go against productivity, workplace satisfaction and convenience. However, a balance needs to be maintained if companies are to succeed in protecting their staff.
It is time to move beyond the simple catch-all phrase of ‘human error’ and for organisations to understand and address the critical vulnerabilities faced by end users. This means reducing the opportunity, improving company culture and empowering employees with better knowledge and training.
Understanding the different types of cyber attackers and their characteristics can help organisations prepare their workforce to better identify potential threats.
As the cyber threat landscape grows and evolves, the most resilient organisations will be those that tackle the threat on both a technological and behavioural level, working collaboratively across organisations with boards and senior management setting the tone and buy-in secured at every level.
For more information, please contact your insurance broker or visit www.aig.ie/business