Cybersecurity: back to the basics, we are human after all (part 1)
Publié le 19/5/2021
Author : Lisa Ménière, Regional Sales Manager
I have read many articles about different methodologies to turn your information systems into an invincible fortress like ZTNA, SASE and many more. These marketing promises aren’t completely right. Yes, sure, you should protect technologies: On-Premise or Off-Premise, company devices or personal devices, and I am not saying that those offers shouldn’t be considered, what I am saying is that they are forgetting the roots. The part of the iceberg you don’t see. The basics. Call it what you want but let me give you a number: 95% of cyber security breaches are caused by human error. If we want to reduce this number, the best way is to look into human drivers before looking at technology solutions.
I am not a psychologist so I will keep it simple and stick to what we all know: the seven cardinal sins and from that perspective, how they may help us reduce our cyber security breaches. They actually are the framework used by hackers to compromise people – they look into our flaws and turn them into a technology. If the twitter hack was so massive it’s because the hacker knew how to appeal victims, playing on their weak spots, publishing either desperate or provocative messages.
So, let’s have a look into the 7 cardinal sins and see their impact people in their daily work life:
Laziness, slowness, carelessness.
This is your number one enemy, think about all the emails people receive but never read about changing their password or having different passwords. Do they really forget to change their password? Of course not. It was seen as difficult to connect to their portal, it would take too much time and they were thinking they would probably do it later.
What should we do? Use simple technologies that are easy to use, plug and play, work first time, and require limited or no human action. Make sure that there is a reward for each action done, use gamification, or give different rights when all cyber-security tools are properly used.
Over-indulgence, accumulation, excessiveness.
Let me guess, you have a brand-new wonderful ERP Cloud based system and you don’t understand why people still work on Excel files locally saved under the name “confidential_companyXXX_investments”. Well, as humans we need to know that, if we want to, we could open those files, anywhere, anytime, even if the Internet connection is bad. Knowing this makes us feel secure, we think there is nothing between our data and us.
What should we do? Protect all working tools, applications and devices. Avoid working on personal or public devices. Do not forget that a casino was hacked through its connected thermometer and so you could be hacked through your printer. Use secure cyber-security tools, only buy from certified vendors (using Teamviewer as a “remote working tool” put a city’s water treatment system in Florida at risk).
Desire, sensuality, power.
Seduction in a company is all about having relative strength, and so, more data than other teams or colleagues. When people say “Data is the new oil” they can’t picture better hackers strategy but also what most of their employees strive for. People dislike not having access to data, they feel like they are deprived from a position of privilege, while they strive for a certain level of standing. Remove access from someone and that someone will find an even smarter way to get to that place. I have seen trainees, who were with a company less than six months downloading sensitive information from highly secure systems with the consent of their managers and directors that personally gave them their ID and password.
What should we do? Track access and usage of applications – many solutions are now raising alerts when people get their password wrong 3 times in a row or suddenly download several sensitive documents. Using Multi-Factor Authentication (MFA) is also recommended to prevent people having access to too much sensitive data or to prevent people from downloading non-safe apps.
Greed, Pride, Envy and Wrath will be the last cardinal sins that we will review in a next article. Stay tuned !