Human Error, The Weakest Link in Cybersecurity

Introduction

According to IBM’s “2014 Cyber Security Intelligence Index,” 95 percent of all security incidents involve human error (IBM, 2014). A significant portion of these security incidents are due to social engineering. Examples of this include humans clicking on malicious links (phishing), opening unknown attachments, or entering personal or confidential information into seemingly friendly and familiar accounts.

Human Error: The Weakest Link in Cybersecurity

Social engineering is a technique used by hackers and intruders to access data or other critical information. This technique exploits the weakest link in information security: humans. By taking advantage of the trusting nature of humans, hackers or intruders gain access to data or secure facilities, either through a phishing email or by tailgating someone into a secure building. Social engineering is essentially the art of gaining access to buildings, systems, or data by exploiting human psychology rather than by breaking in or using conventional hacking techniques (Mitnick & Simon, 2002).

The Persistent Threat of Social Engineering

No matter how robust your organization's security measures are, social engineering will always pose a threat. This is due to the human mind's innate tendency to trust others. Humans are often described as naive, a trait that can be particularly pronounced in certain cultures. For instance, a 2009 survey funded by the European Commission named Norwegians the most naive in Europe, with only 10 percent considered generally skeptical of other people (European Commission, 2009).

Real-World Examples and the Need for Awareness

Chris Nickerson, a consultant who performs red team testing using social engineering techniques, exemplifies how easily trust can be manipulated. In one of his tests, he wore a Cisco shirt and attempted to tailgate his way into a secure building. By simply asking a smoking employee to hold the door for him, while posing as a Cisco technician, he gained full access to the building and even managed to get his team inside. This example highlights the ease with which one can exploit someone's naivety and willingness to trust others. Therefore, it is crucial to educate employees about social engineering to ensure they are aware of the various techniques that can be used and the dangers these techniques can lead to.

Mitigation Strategies

Social engineering tactics will continue to evolve, discovering more effective techniques over time. Consequently, regularly updating employees on the dangers and techniques of social engineering is essential. Fortunately, there are techniques available to mitigate the risks associated with social engineering. One effective strategy is to reduce reliance on human judgment through technological solutions. Remote Browser Isolation (RBI) is a technology that isolates users' web browsing activity away from endpoint devices, thereby preventing most browser-related attacks, such as phishing, while ensuring accessibility and productivity (Gartner, 2019).

Conclusion

Humans, in general, are often too trusting, even when working in environments where security is paramount. Consultants like Chris Nickerson demonstrate how easily social engineering can be employed, thereby raising awareness among their clients about potential dangers and exploits. By implementing solutions like Remote Browser Isolation, organizations can minimize human error by isolating activity away from endpoint devices. As the landscape of cybersecurity threats continues to change, combining technological solutions with ongoing education will be key to enhancing security measures.

References:

• IBM. (2014). 2014 Cyber Security Intelligence Index.
• Mitnick, K. D., & Simon, W. L. (2002). The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons.
• European Commission. (2009). Survey on the Naivety of European Populations.
• Gartner. (2019). Remote Browser Isolation Market Guide.