Is It Possible to Fix the Weakest Link in Cybersecurity?
The technology world is full of big promises, including in cybersecurity. Just think about it: how many times have you heard the promise of a simple, fast fix that will solve all your cybersecurity challenges with the click of a finger?
We’ve all heard it plenty of times before – promises of a silver bullet that fixes every cybersecurity problem.
It could be an AI-based solution, it could be a new management tool… and it always comes with that uncompromising promise. But here’s the rub: these tools never fulfill the oversized expectations they create because one of the biggest challenges in cybersecurity can’t be fixed just by throwing more technology at it.
What are we talking about? We’re referring to the human element of cybersecurity. It’s a key component of cybersecurity that can – with an (incorrect) click of the finger – render all your magical cybersecurity tools completely ineffective.
Perimeter firewalls, MFA, and the like are all helpful tools that will mitigate this human factor. Nonetheless, in its ability to invite catastrophe, human behavior reigns supreme over even the most sophisticated cybersecurity tools.
None of this will surprise you
The fact that humans are a weak spot in cybersecurity isn’t news to anyone. Oddly enough, real-world incidents bring us back to the same social engineering theme time and time again.
Rockstar Games and Uber are just two recent examples of companies that probably thought they were safe from social engineering.
Unfortunately, despite the intensive use of cybersecurity solutions, both companies were recently the victims of a cybersecurity attack because an employee was tricked into doing something that would be resolutely against corporate cybersecurity policies.
Take a close look at these successful attacks and you just wonder if the person who opened the door has ever heard anything about cybersecurity best practices.
Neither attack involved anything particularly complicated. In both cases, it came down to a simple social engineering strategy. Something like this: “Bob, I’m from the IT department. I need to quickly run a tool and I need you to click on this link so I can fix something routine on your PC.”
When will we learn…?
Twenty years ago, social engineering was a major tool for cyber criminals – and it still is. It’s almost as if we’ve learned nothing about social engineering in the last few decades.
You could say that it’s predictable that people who work at organizations such as government departments or retail companies could fall for such a trick. However, people working at the world’s leading tech companies should be more immune to social engineering.
Yet it’s two giant tech firms with some of the world’s most intelligent employees that fell for a social engineering attack. You’d think that the employees at Uber and Rockstar Games would simply know better.
Worse, given the size and prominence of both companies, it’s almost certain that the employees who worked there received extensive cybersecurity training. Still, someone, somewhere, in both Uber and Rockstar games fell for the oldest trick in the hacker’s playbook.
It’s completely possible that, through some fluke mix of events, the users in question never absorbed a key lesson during their cybersecurity education. Whether they were too busy, skipped a lesson… or something else.
However, given how frequently we see a major successful social engineering attack appear in the news, we have serious questions for anyone who still says that they “didn’t know they shouldn’t click on links in emails…”
Consistently reinforcing the message remains the best option
Cybersecurity tools can offer magic bullets for all sorts of cybersecurity challenges – but there’s no magic bullet that takes away the risk incurred by the human element. Users will continue to make mistakes. There will always be that inattentive moment that gives a malevolent actor an opportunity.
No organization is safe from the risks brought on by human behavior – just look at what’s happening at some of the world’s most tech-savvy firms.
Yes, your cybersecurity defense strategies will do their level best to protect your organization, but continuous reinforcement that teaches your users how to avoid accidentally opening a back door should remain a top strategy.
This constant education reinforcement is also important for your technical team. You need to reinforce the importance of permissions management, patching, and the overall consistent maintenance of the organization’s security posture.
At the end of the day, the risk remains: some user, somewhere, accidentally clicks on something they shouldn’t. But, as is always the case in cybersecurity, effective protection is about doing as much as possible to minimize the risk of something going wrong.
Continuous, persistent cybersecurity education is your best bet when it comes to guarding against human error contributing to cybersecurity problems.