Human Beings are the Weakest Link in the Data Protection Process
In 2003, US companies faced $40 million in losses in unauthorised use of computers by employees
You are only as strong as your weakest link. And that is true in every scenario and more so in an organization. In the pyramid of People-Process-Technology the one that holds up the triad is people, and that being is also the most treacherous, albeit the weakest. And the weak link shows up as misplaced data security.
So what makes the human being so fragile, especially in an organization, with regards to safety and data protection? And why does safety and data protection need people? A study conducted showed that 78 percent think that endpoint security is more due to negligence among employees and that the average organization experiences 9.3 insider threats per month. The study also showed that 90 percent organizations faced at least one insider threat per month. In 2003, US companies faced $40 million in losses in unauthorised use of computers by employees.
Human fallacy or malicious intention?
The first step in addressing the human element in cyber-security is a willingness to identify and acknowledge the problem. Awareness about the threat landscape is a major gap that needs to be filled. The recent Bangalore OTP theft case was a classic example of a human being acting as the weakest link. Cyber fraudsters tried tricking people by saying that they were calling from their banks and were providing free upgrades on the cards. In the process the fraudsters were able to get all the card details and their OTP’s as well. In some cases, the fraudsters also sent the victims a malicious link through SMS and asked them to click on it, which was a malware social engineered to get the victim’s OTP directly to the fraudster’s system.
People lost lacs of rupees by being victim to this scam. Such examples point out to the fact that people need to be aware of their current threat landscape and be prepared to fight the same. They should by now be able to understand the different ways in which the cybercriminals attack and not fall for them. The same goes for big and small companies and businesses.
Some mistakes may cost a company dearly. But intended issues cost more than mere monetary value. Irrespective of how strong firewalls, intrusion detection systems, cryptography or anti-virus software, in the end it is the people who are in control.
The other attack is perpetrators targeting gullible employees for IP thefts such as thefts of source codes, contractual information, employee details, client details and other confidential data; to demand ransom by encrypting data and files; corporate espionage or blackmails; to malign the public image of the firm; to disrupt some service thereby causing substantial damages on large scale.
The third type of attacks are through social engineering to target various verticals. Social engineering is an act of exploiting the human behaviour to fulfil malicious intent. In 2016, around 60 percent of businesses got trapped in social engineering attacks. Mostly BFSI, healthcare, consumer internet, telecom, cloud services and e-commerce companies – companies with large volumes of customers – are seen as vulnerable and are major targets of hackers to capitalise on the negligence of employees.
Though nebulous, the idea of security is difficult to measure and creative to quantify, though the basket of technical countermeasures available to protect information and computer systems has certainly widened in the past 10 years or so. Cyber attacks and data fraud or theft were listed in the top five of the World Economic Forum's 14th edition of "Global Risks Report 2019". Most enterprises today are generally protected for only Gen 2 and Gen 3 viruses. Security of data is the need of the hour. Data protection is preserved by encrypting data and files and if employees are purported to be the weakest security link, with proper training they can be the best layer of defence as the theft by cybercriminals may not be planned. Around 35 percent of companies stated the employee mobility was a large factor – theft of laptops, mobiles were one of the main causes of data breach; while 8 percent cited external attacks as a cause for data breach.
One aspect for sure is the trust placed in employees. A motivated employee is the best asset an organization can have. Creating awareness, training and education, people risk assessment, vulnerability assessment and penetration testing (VAPT), employee incentives (reward & recognitions), audits, cost-benefit analysis, and behavioural Analysis research to properly understand people, these reduce the risk assessment for companies.
Security threats are in a constant flux, evolving to make that final breach. Leadership must respond to human vulnerabilities and must be in the similar state of evolving. Obstacles need to be overcome to ensure the integrity of the organization. Enterprises that don’t give priority to proactive security awareness or risk assessment are doomed to spend hefty amount on mitigating PR nightmares from scandalous data breaches.
Till then we just need to be aware, constantly on a look-out and hope for the best. There cannot be 100 percent security, and there is nothing we can do to prevent theft and inadvertent theft, but we can be aware and increase personal diligence to security. If the White House, NATO, the FIFA World Cup and Olympics can be targeted, it’s a miracle that we can remain safe.