Subscribe to Disclose
Urs Küderli
Partner and Leader Cybersecurity and Privacy, PwC Switzerland
To make a mistake is human, as we all know – even more so in a digital world with supposedly zero tolerance for errors. Modern cyberattackers take advantage of these characteristics and penetrate corporate IT systems through mostly man-made entry points. Read more here about why human behaviour still facilitates cyberattacks, and how companies should mobilise this behaviour to improve their cyber-resilience.
Today, cybercriminals work in a way that’s quick, effective, automated, highly networked and extremely professional. Thanks to the increasing digitisation of information about people and companies, cybercriminals have excellent information about their targeted victims. Through social media, blogs and websites, they can find virtually anything in Switzerland that makes it easier for them to plan and carry out an attack. Who works where, who the company has just hired in the executive suite, what the latest interesting topics are – all information that can be easily retrieved.
Compared to just a few years ago, when cyberattackers stole, sold or misused business data, today they mainly use it as a means to demand ransom money. Attacks involving ransomware (extortion) are one of the primary threats from cyberspace (see box). Attackers know companies in great detail, and know how much money they can demand to force an unprepared company to pay rather than endure the attack and respond appropriately.
Digital Trust Insights 2023
We’re human beings, and this is something criminals take advantage of. However a cyberattack is designed, it often exploits human flaws or weaknesses. Information that individuals and the company as a whole disclose about themselves on digital channels and media represent sources for attackers. What’s more, patchily updated systems, unknown and unmaintained shadow applications and a negative error culture within the organisation all make forced intrusion easier. Below, we turn our attention to the human aspects that make it easier for cybercriminals to enter and work their way through a company’s IT system (see figure).
Human errors and system-related gaps open the door to cyberhackers.
With social media, the name says it all: they are social and media. This means they work because people interact with one another and share and disseminate information. This makes them a perfect El Dorado for cybercriminals, who can tap into two useful sources of information at once:
The rapid advance of social media has put companies in a real dilemma. On the one hand, they need a presence in order to present themselves to employers, investors, customers, suppliers and the general public as a trusted authority and contemporary dialogue partner. On the other hand, they reveal information that makes it easier to carry out personalised and tailored attacks. It’s important for companies to understand that such data is available and that internal information is no longer a secret.
Attacks via phishing email are still the most common access method. With phishing attacks, cybercriminals pose as a trusted communication partner via fake websites, emails or mobile text messages in order to persuade the other party to take damaging action and compromise cybersecurity. As a result, employees perform a transaction, disclose user data and passwords or directly activate malware, for example. Phishing takes advantage of two very human characteristics at the same time: good faith and the desire to get something done quickly. It’s very rare for someone to intentionally click on a malicious hyperlink.
Cyber-resilient companies regularly make their entire workforce aware of phishing and how it’s designed to look. There are various software solutions available that can integrate a phishing alert button into a company’s email application. This is used to automatically check a suspicious email or, in unclear cases, have experts check it and determine whether it’s legitimate, spam or a case of phishing. A quick daily test click on this tool is without a doubt more beneficial than hastily clicking on a phishing email.
Hand on heart: how many different passwords do you have for all your personal and business logins? At some point, creativity simply runs out of imagination and the overview is lost. Most people have a set of just a few simple, memorable passwords. They like to keep them somewhere close at hand, so they can access them quickly and easily. This makes password hacking a piece of cake. Even worse is reusing passwords, meaning that an attack on one system can quickly provide access to several other systems and services.
Just like key management is essential for facility management, sound password management is essential for effective cybersecurity. This is why it’s advisable to have a separate long and secure password for each client user account, which is changed after a certain period of time. It’s also worthwhile deploying tools for the professional management and assignment of passwords and using two or multi-factor authentication as an additional layer of protection. Businesses and individuals are recommended to use a more secure password management solution that allows passwords to be synchronised across multiple devices.
With increasing work mobility and the popularity of home offices and remote working, private end devices like mobile phones, tablets, laptops, routers, scanners, memory sticks and printers are often used for business purposes as well. What’s more, apps or cloud services are also installed on them or they’re used to download business data. More and more, we’re also seeing the use of private storage locations (NAS, cloud) to store or back up business information. This is referred to as shadow IT, because the security of these systems and applications can’t be fully controlled or guaranteed by the company. It can be assumed that employees act in good faith – in other words, they don’t deliberately install insecure or data protection-critical infrastructure and software. Yet shadow IT is widespread, and poses significant security vulnerabilities and increased cyber risks.
Shadow IT also often grows within companies, for example through software and services introduced by the business, such as in the cloud – bypassing the company’s IT and security.
In any case, it’s important to get a clear picture of who’s using shadow IT, how they are using it and what risks are involved. As a result, the infrastructure and programs in use must be checked with regard to their security standards and be officially permitted, or alternatives must be defined. Finally, guidelines and controls should be established and, above all, employees should be made aware of the risks.
“A man who has committed a mistake and doesn’t correct it is committing another mistake.” Although this insight is as old as its originator Confucius himself, it’s still extremely relevant. That’s because a company’s prevailing error culture is critical to its ability to respond to a cyber incident. Anyone who’s afraid of being punished for unintentionally clicking on a harmful link and so doesn’t report it may do more harm to the company than if they were to inform the relevant department immediately. This would enable them to quickly diagnose the problem, get a clear picture of the damage that’s been done and is yet to come, and take appropriate measures to clean up the situation.
There’s no such thing as 100% security. A company must accept that it can’t prevent the ominous click, no matter how trusted the relationship is with its employees. Instead, it should establish a positive error culture. It’s essential that the people concerned report these inadvertent clicks immediately so that the emergency plan developed for this purpose can be activated without delay. In this respect, literally every second counts.
Machines are praised for not making mistakes. In humans, the same can’t be ruled out. Cybercriminals combine these errors with the vulnerabilities of IT systems in order to compromise them. Cyber-resilience is strengthened by involving employees and purposefully managing human behaviour. Here are five simple and practical tips on how to address human vulnerabilities in your organisation.
#social#
Partner and Leader Cybersecurity and Privacy, PwC Switzerland
Tel: +41 58 792 42 21