Is the Least Educated Employee Your Weakest Link?

| Robert Kandra
Robert Kandra
Senior Advisor, Threat Pattern

Given the growth of the cyber-threat matrix, many IT system users have found that conventional defenses—firewalls, anti-virus applications, blocking software, and malware detection regimes—are only as effective as the last attack.  Porous perimeter defenses can slow system operating speeds and require continuous upgrading to remain effective. Commercial and government operators know well that unless they upgrade and update their software and operating systems routinely and are running the latest versions of available defensive architecture, they are facing unnecessary risk.

Better technical solutions to minimize the risk to users are coming, and some will focus on the use of identity verification software.  We see this already in dual-authentication regimes used by banks and most financial institutions, but positive identity-link interfaces between you and the person or system you want to touch will improve the automatic defensive posture. This is “trust through authentication” on a grand scale.  It also requires active user action to complete the verification process, at least for now.

Until then, the key to a safer enterprise is a system that embraces user education.  Much has been written regarding “good computer hygiene” and the insider threat, but businesses still suffer from a staggering 52 percent of enterprise compromise that originates from bad user habits.  Malware, viruses, ransomware, and simple information theft or corruption comes from insider/user misuse.  Despite this fact, little is done to correct user deficiencies or sensitize management that the insider threat may stem from simple incompetence, rather than a directed human penetration of your company or a determined foe working to steal or corrupt data. 

Management and leadership at all levels of the corporate and government enterprise need to routinely educate users that they must adopt a defensive posture—at all times.  This message is an anathema to many organizations who believe they are not or will not be targets of a cyber-assault, a mistaken assessment at best, leadership naiveté, and malpractice at worst.  Human-enabled cyber penetration and emplacement continues to be the most efficient way to compromise any target, which can also overcome almost any automatic perimeter defense.

The expansion of social media platforms and the exponential use by everyone from primary to secondary-level schools, as well as most human resource activities, ensures that employees will be on the Internet and on these sites.  On “Cyber-Monday,” when most online shoppers are online (to include your employees), they are surfing alongside the mob of online thieves who know that bogus sites, spam, phishing, and more will reap huge financial rewards. Employees carry computer habits used at home and outside the work environment into your business. Why? Because good computer hygiene takes a conscious effort to compartment data, restrict the free-flow of information, limit access, and verify users – things most of us do not do at home, with family, with friends, or when shopping online.

Businesses that excel and are dependent on creativity and cooperation often place a premium on inter-connectivity between divisions and employees.  The smooth flow and exchange of ideas—and products that result from a synchronous work force—are essential to success.  To foster this cooperation, systems are routinely built to allow greater access, encourage the exchange of information across “silos” or boundaries, and focus on what would be “nice to know” vice “need to know”.

Even with mature compartmentation, which we find in virtually all financial and research institutions, user interface with the social media domains available at their place of employment continue to be the primary source of compromise for many targets.  Numbers remain soft as compromises remain unreported in many cases, but the FBI estimates losses (worldwide) in the billions annually. This includes direct theft, compromise of data, corruption of data, ransomware, malware, and the costs of reconstituting an enterprise architecture after the attack—more than half of which comes from within. 

How do the compromises occur?  A download from a personal thumb-drive of vacation pictures into my system to enable me to email the pictures to Jane in Accounting.  Opening an attachment from email because (I believe) I received from my bank (without checking the address of the sender).  Opening an attachment or responding to an email from the local Police Department making an inquiry regarding my wife, who has been hurt, and they need verifying data to tell me how she is and which hospital she has been taken to.  All these ploys and so many others have been used successfully to insert malicious code into a system architecture by a verified/privileged user.  This does not even address the wealth of personally identifiable information available on your social media that allows malicious access to your work systems.  

Perimeter defenses, stable mature enterprise design, encryption, back-up, and cloud storage all build redundancy and resiliency in the event of a cyber-attack.  Employee education and creating an internal reporting environment that rewards diligence will pay equal or greater dividends in the longer term. 

The Author is Robert Kandra

Robert Kandra is a senior advisor at Threat Pattern, an intelligence and security company that provides services to institutions and select families.  Previously, he was a senior CIA executive and operations officer, serving 27 years with assignments in cybersecurity, counterintelligence, counterterrorism, and counter-proliferation. During his tenure, he served as Chief of CIA's elite Special Activities Division—as an expert in paramilitary and unconventional operations in high-threat... Read More

Learn more about The Cipher Brief's Network here.

CLICK TO ADD YOUR POINT OF VIEW

Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *