Cyber attackers consider every possible vulnerability when trying to gain access to an organisation and more often than not people are the weakest link. Human error, whether intentional or unintentional, has always been a constant factor in security vulnerabilities. The increased improvement and accessibility to security solutions and services such as Endpoint Detection and Response (EDR), Intrusion Detection Systems (IDS) and managed security operations (SOC) means that threat actors are increasingly trying to leverage human intervention in order to bypass external defences and gain a foothold into target systems.
Typically the initial stage of an attack leverages open source reconnaissance which taps into resources such as social media profiles, organisation websites, blogs and other similar resources. This is done in the hope of finding useful information which can be used in social engineering attacks such as phishing.
Uncontrolled user changes in the IT environment can also lead to exploitable vulnerabilities being present on the network. This phenomenon is also known as ‘shadow IT’ and is yet another example of how threat actors can take advantage of unintentional user actions.
Once inside the network, threat actors go on to exploit common IT and Active Directory (AD) weaknesses, including insecure configurations, improper account tiering and excessive privileges. Lateral movement, data exfiltration and the deployment of malware is also more likely to be successful in environments where employees do not have an adequate level of security awareness or security hygiene.
Human error as a cyber risk for SMEs
The majority of businesses in Malta are made up of small and medium-sized enterprises (SMEs). Unfortunately, many employees at SMEs pay little attention to cyber security due to a common misconception that cyber attacks only target large organisations which are more likely to process valuable financial information, confidential information belonging to customers or sensitive and valuable intellectual property.
Contrary to this belief, all organisations can be similarly targeted by a cyber attack no matter their size. Furthermore, SMEs are seen as a more enticing target as they offer a higher risk-to-reward ratio than larger organisations. Unfortunately, due to the nature of their operations and overall size of the business, SMEs are not able to afford or justify the hiring of a full-time security specialist. Such a function is often taken on by the internal IT function, who in turn often becomes stretched and overloaded. The combination of these circumstances allows bad user practices to go unchecked within SMEs, therefore providing threat actors with an avenue for attack.
COVID-19 has also presented additional security issues for SMEs to contend with. The pandemic caused the rapid transition from working at the office to a more relaxed home environment. Employees are therefore no longer within reach of the IT team, and this has led to users performing actions which, under normal conditions, would have been bounced off with IT first.
Criminals have capitalised on this by targeting SMEs as they are aware that many of such organisations are struggling to achieve an adequate cybersecurity posture during these circumstances.
Ultimately, no matter how much investment an SME may make in the latest security solutions, if the employees do not have the proper training and awareness, attackers will still be provided with an avenue to compromise the organisation by exploiting human error.
SME employee security behaviour to reduce the cyber risk
A number of initiatives may be undertaken to improve the overall security awareness and hygiene of staff and consequently minimise the threat exposure:
- Cyber Security Culture:
SMEs should assign management the responsibility of promoting cybersecurity awareness and its importance to all levels of personnel. Culture plays an important role since often, end-users will know the right course of action, but fail to carry it out because there is an easier way to do things or they simply don’t think it is important. Having a culture where security is always placed at the forefront will lead to the reduction of human errors. - Training
Much of human error results from basic mistakes or inactions. Therefore, organisations should provide regular cybersecurity awareness training for all employees to ensure they can recognise and deal with the various cybersecurity threats. Apart from training and awareness, drop-in sessions could be held where staff can get hands-on practical advice and tips. This would ensure the end-users have the knowledge and skills they require to keep themselves and the business secure.
- Phishing
It is often assumed that cybersecurity threats only concern IT people, leading to a general naivete around the risks and effects of a cyber attack. In fact, many social engineering attacks, such as email phishing, capitalise on this lack of awareness and thus prove to be an excellent vector of initial compromise. SMEs should ensure that their employees are well-versed in the techniques used by attackers when performing a phishing attack, so that they are prepared to identify and report it when identified. - Shadow IT
Due to the rush to move online during the COVID-19 pandemic, many best practice security configurations are not configured by default and a lack of monitoring capabilities often mean that IT teams have very little visibility over the use, alteration and implementation of additional IT resources by other departments and/or staff, especially SMEs with their limited resources. This shadow IT used by employees is typically not vetted from a security perspective and could expose the SME to security risks which the IT team cannot identify and mitigate. - Passwords
SMEs should ensure a password policy is implemented to encourage users to create strong passwords, ensure proper handling and prevent the use of weak and/or re-used passwords. Single sign-on should also be implemented to reduce the number of passwords to be remembered by a user, along with the use of secure password managers and enabling multi-factor authentication (MFA) on key accounts.
The good news is that the majority of cyber risks related to human behavioural weaknesses can be mitigated with appropriate security education, processes and controls. That’s why it’s important that certain security behaviours should be demonstrated by employees to help counter the threat of cyber attacks.
Get in touch with our Cyber Security team to find out how we can help you understand security behaviours and improve security culture at your organisation.
Contact us
