Human error: leading cause of cybersecurity breaches — study
A new worldwide study cited by leading DDoS Mitigation service provider IPC reveal that a lack of skills among employees is a critical barrier holding enterprises back from implementing threat management more effectively.
Conducted by the CyberEdge Group and IPC’s cybersecurity services partner Imperva Incapsula, the 2018 Cyberthreat Defense Report's 1,200 respondents showed that lack of skilled personnel and low security awareness among workers are the top two barriers that inhibit companies from adequately defending themselves from cyber-attacks.
The study was conducted in organizations with more than 500 employees in countries across North America, Europe, the Middle East, Latin America, Africa, and Asia-Pacific (APAC). Some key findings in the APAC region include organizations in China and Japan leading all respondents in believing that they will be compromised by a successful cyber-attack this year, Chinese companies being the world’s leading victim of ransomware, and the position of IT security architect/engineer being the hardest to fill in Japan, China, and Singapore.
“Threats are constantly evolving and the chances of being attacked are increasing significantly as enterprises everywhere integrate new web-facing technology into their day-to-day systems. New types of attack methods are always emerging, and a single employee oversight can make or break a company. This study reveals how it is imperative to keep pace with the threat landscape as it evolves and continue educating ourselves on the latest attack methods,” said Niño Valmonte, IPC’s Director for Marketing & Digital Innovation.
Human error, negligence as top risk
The revelation that the lack of employee skills is a main inhibitor to effective cybersecurity is in line with the study’s other findings. When asked on what type of attack companies are most concerned with, the respondents’ answers revealed that the top three are Malware, Ransomware, and Phishing — threats that commonly enter a computer through the negligent actions of the user.
These three attacks are often spread through spam emails that contain malicious attachments. Opening the email will end up installing the threat into a computer. What’s more devastating about this is that once installed, most of them are programmed to automatically send themselves to the mailing list of an infected computer, thereby spreading itself further. Other common sources of the top three cyber threats are malicious files hidden inside downloaded files and software, and through a method called drive-by downloading, which occurs when malicious programs are automatically downloaded by visiting an infected website.
“Cybercriminals often use trickery to get people to unknowingly download malicious files. This can be an email with a file attached that tells you it is a receipt for a delivery, a new tool for a web browser, or even a bogus antivirus program that has malware hidden inside. These are just a few examples of how attackers can infiltrate a network that every company and its employees must know about,” said Valmonte.
Making cybersecurity education a priority
In order to avoid these threats, IPC recommends that businesses conduct constant training in order to instill the right skills, awareness, and the “cybersecurity culture” required in workers to fight against new and evolving threats.
“Cybersecurity education needs to be an integral part of the workplace culture, it doesn’t mean hosting a one-time course or seminar, it means making security a collaborative, continuous cultural initiative that will take up a lot of time but is a good investment in the long run with the fate of a company at stake.”, Valmonte adds.
According to IPC, organizations must first ensure that cyber security awareness and organizational security procedures are well established not only through periodic vulnerability assessment of their network and critical systems, but also in the mind-shaping of employees’ right from the induction and training process. In line with this, Valmonte recommends executives and middle managers to foster a culture of workplace security by talking to their respective teams about the following as a start:
Practices in keeping a computer clean, including sensibly limiting the programs, apps, and data that can be downloaded and installed, and speaking up whenever a computer exhibits strange behavior;
Using long, strong passwords that has the combination of uppercase letters, lowercase letters, symbols, numbers, and changing them routinely;
Recognizing and deleting email messages with suspicious subject lines and links;
Constant and consistent backup of files and/or applications;
“By starting with these steps, a company can already drastically reduce the installation of malicious programs within their network,” said Valmonte.