Beware the Human Factor in Network Security
The digital revolution that began in the final decade of the 20th century has changed the nature of our own lives and the world around us. The interdependent global marketplace is now defined by the I...
The digital revolution that began in the final decade of the 20th century has changed the nature of our own lives and the world around us. The interdependent global marketplace is now defined by the Internet.
Criminals have begun to realize this vast new digital arena is ripe for exploitation. Cyber criminals have become the bane of IT managers everywhere.
The consensus of analysts is that digital networks are fragile and extremely vulnerable to security infringements. However, technology weaknesses are not the main problem. The human factor in network security can cause more problems than technical deficiencies in many cases.
Criminals have learned to exploit the human factor to perpetrate their crimes.
In order to adequately protect your networks, it is crucial to understand the security issues that users can cause. By doing so, you will be able to implement better policies and procedures to minimize the risks to your network.
Impact of digital technology on society
When thinking about all the ways in which modern society utilizes technology, you must first understand the cyber security risks at the broader, societal level. There are two large entities that use technology to store our personal information and to conduct their own affairs: governments and enterprises.
Western democracies, oligarchies, dictatorships, theocracies, and any other form of government use digital networks for a multitude of purposes.
In the U.S., for example, the government uses digital technology to manage virtually all aspects of our infrastructure, defense, and other items related to living in the modern world.
Social security checks, TSA no-fly lists, Pentagon internal security, intelligence, FEMA response, and just about everything done or attempted by the U.S. government involves digital networks.
Enterprises and digital
Companies are no different from the government regarding their reliance on networks. Every day millions of private transactions occur on interconnected systems that track your personal financial information, (for example, swiping your credit card to purchase a product).
Firms utilize servers and networks to store information concerning their employees’ private data as well as information related to corporate finances.
Risks and the human factor
Humans created these networks and humans run them. This makes our systems extremely vulnerable to human error. This vulnerability is not rooted in the technology itself. Rather, the risks stem from the human users who operate these systems on a day- to-day basis.
TechTarget defines social engineering as, “a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” Most experts believe this is the greatest security threats to networks today.
Social engineering, in simplest terms, is simply telling an individual exactly what they want to hear. This exacerbates the human factor regarding being a security risk.
With just a few pieces of information cyber thieves can easily prey upon the ignorance of the person on the other end of the screen or phone to provide them the exact information necessary for the crooks to carry out their nefarious activities.
Ramifications of social engineering at the macro level
Because millions of consumers do all of their banking online, they consider the technical security used by the banks as the litmus test of how secure their information is.
However, social engineering is the real threat. A cyber thief who uses Facebook or some other form of social media to trick someone into providing one small, key piece of information about themselves can, for example, easily use that personal data to call a banking hotline and impersonate the individual. Doing so will allow the thief to garner more information about the person and access your online financial accounts.
All the anti-virus software and firewalls used by the bank are meaningless.
No matter how robust the technical security, human weakness is the real threat to network security.
The buck stops here
Social engineering exploits the ignorance or laziness of users too. The IT security staff can only do so much. Users have a responsibility to understand the risks and to understand and follow good security practices.
Governments and corporations have a duty of care to ensure that their personnel are properly educated and trained in user responsibilities for IT security. Technology alone cannot protect a system.
Low tech and the human factor
Many criminals use clever psychological tricks via email or even by phone to con users out of system passwords or information on network setups that can assist the crook in accessing a network and other ruses.
Access control and the human factor can adversely affect network security. For example, if an office is open to the public or if visitors can roam unescorted in an office area, this leaves ample opportunity for cyber crooks to use company computers already unlocked and connected to the network.
Employees that do not practice good IT security may leave passwords and other materials out in the open and available.
Social engineering at the micro level
Individuals, not firms or governments, are easy to manipulate using social engineering techniques. Given the overall lack of knowledge in the general populous regarding secure networks, this makes it simple in many cases for cyber criminals to hack into networks.
Individual consumers and their secure networks are highly vulnerable to viruses such as a Trojan horse. Hackers can send links to the emails of millions technology users. These links can be cleverly disguised, and with one click, a cybercriminal can have access to a vast amount of personal information.
These viruses proliferate throughout the Internet due to the lack of security training and education the ease of exploiting human gullibility.
Lures of free downloads and other amenities play on the very human desire for “something for nothing.”
Many people believe that clicking on those links cannot cause any harm.
Lack of priority
Another problem associated with the human factor in network security is prioritization.
Companies, when faced with compromising economic times or forecasts, view cyber and network security as an additional, unnecessary cost and, therefore, will not invest greater resources into network security education and training.
Companies and governments are most vulnerable on a human level when it comes to protecting their digital networking. However, the amount of time, effort and funding enterprises and governments put into protecting digital networks is woefully inadequate.
When analyzing IT security budgets, it is clear that much of the money allocated goes toward enhancing the security of a network internally through technological fixes.
However, investing in firewalls instead of training users often increases rather than decreases the vulnerabilities of networks. Relying only on technology for security is a serious misallocation of IT security funds.
Cyber criminals understand this. They will target the human factor rather than attempt to break codes or develop malware or technological workarounds to penetrate a network.
When it comes to facing cyber criminals, many employees and officials, even those assigned to IT departments, understand their shortcomings regarding IT security. Most organizations rely on IT consultants and analysts.
However, the consultants and analysts hired tend almost always to be strictly technology experts. They have little interest and little experience in the training and education of users.
In fact, most technology gurus are not interested in providing personal instruction in good cyber security practices and procedures. These experts know and understand the technology, but grow easily frustrated at the lack of knowledge most people possess.
The inverse relationship between users and knowledge
The relationship between the number of consumers using digital products and the understanding these consumers have of how the systems work has become inversely proportional.
In other words, the number of individuals using technology has skyrocketed while the knowledge and interest of how it works have declined.
Business owners and supervisors must instill in their workforce a sense of ownership in network security. However, establishing a sort of corporate police state to strictly enforce network security policies is not necessarily the best solution.
Users and the IT security staff must work together. This takes not only classes and briefings for new employees but also continuing education for all staff.
Enterprises should foster a business culture of cyber awareness. Your staff must be not only cognizant of network security standards and practices but also make good security practices a matter of routine.
Companies should set clear expectations and goals related to the human factor in network security. While it is important to discuss and to be knowledgeable on technical security defenses, it is equally important to understand the behavioral steps an individual can take to minimize the IT risk.
You can negate the adverse effects of the human factor in network security by modifying behavior and putting equal time and effort into training and education revolving around practices and procedures as well as anti-virus software and firewalls.
Educating your users creates a human firewall. Raising awareness and providing your employees with the understanding and skills necessary to avoid compromising your systems will help create a culture of cyber awareness.
If cyber awareness is a recognized and essential part of your corporate culture and even your brand, you can help negate or, at least, minimize the damage in the event of a hack.
Ultimately, the human factor plays a vital role in the security of a network. Many analysts within the industry deem it to be the largest threat to the sanctity of our digital infrastructure. When considering network security, focus not just on the financial cost of a potential breach, but also the effect a breach would have on your brand.