When it comes to assessing the potential weaknesses in your business’ cyber security strategy, one element that you need to pay particularly close attention to isn’t the technology – it’s the people using it. People are usually referred as the weakest security link of a network.
It shouldn’t come as a surprise to anyone to learn that employee actions are among the biggest cause of data breaches. Indeed, according to one analysis by security firm CybSafe, as many as 90 per cent of data breaches reported to the Information Commissioner’s Office in 2019 were at least partly down to human error.
People are unpredictable, will usually favour convenience over security and, even with the best will in the world, are always prone to mistakes. Therefore, no cyber security strategy is complete without a comprehensive plan to safeguard a network from its own users, from frequent training to restrictions on what employees can and can’t do with business data and applications.
Tackling the social engineering weaknesses
One of the biggest problems to tackle is the threat of social engineering, or criminals tricking users into handing over sensitive data. This is often a highly effective method of accessing a network, as it does not require much technical knowledge and, if done effectively, can bypass even the most well-protected systems.
Among the most common social engineering threats to businesses is ‘phishing’, which aims to entice users into downloading malware or entering sensitive login details on a fake website. These come in many forms, but usually urge the recipient to take action that involves handing over confidential details.
There is also the more sophisticated ‘spear phishing’ threat to contend with. This works by targeting individuals with more specific, personalised messages in order to improve the odds of success. After all, if an email appears to be directed at you personally and seems to come from someone you know, you’re naturally less likely to be sceptical of it.
Other common user errors criminals can take advantage of include people’s habit of choosing weak or repeated passwords. Despite continued warnings, many users will persist in practices such as reusing passwords or choosing easily-guessed login details, which can be a gift to any cyber criminal.
The right solutions to tackle human errors
Dealing with these threats requires a range of IT Security Solutions, with technology tools and specific security training must-haves. And you need to make sure that whatever messages and practices you’re focusing on are sinking in.
For example, when it comes to the problem of passwords, traditional approaches such as requiring frequent changes and mandating the use of numbers and special characters are unlikely to be effective. This tactic is only likely to frustrate users, who will struggle to come up with memorable passwords that meet the criteria, so they are likely to fall into bad habits, such as reusing existing passwords with minor changes.
Instead, the use of password management software, which can create and remember complex, unique credentials, is likely to not only be more secure, but also more user-friendly.
When it comes to training, it’s also not enough to just explain once what your employees’ responsibilities are. You need to be frequently repeating and revising sessions, as well as running tests to ensure the messages are getting through. This could range from quizzes to test scenarios, such as sending your own ‘phishing’ emails to employees to see who still falls for it.
Ultimately, it won’t matter how much you spend on technology solutions if your staff aren’t fully cyber aware. But with the right training strategy and technical support, you can ensure you’re minimising the risks posed by the weakest security link.
Find out more about what you can do to improve your firm’s cyber security in our Cyber Security White Paper.