Article by Dr Fene Osakwe
“A chain is as strong as its weakest link”. This is a phrase that first appeared in Thomas Reid’s “Essays on the Intellectual Powers of Man,” published in 1786. At this time, there were no conversations about cyber security. Centuries later, it is the term that best describes the overall theme to managing cybersecurity risk.
The chain here suggests all the various elements of an effective cyber security ecosystem, broadly categorized as “Process”, “Technology”, and “People”. Processes speak to the policies, structure, and procedures that we put in place to ensure that security is appropriately governed. I always advise that these processes be aligned to best practice such as ISO27001, COBIT, NIST. Technology broadly speaks to the systems, devices, technology solutions and tools deployed to prevent, detect, or respond to cyber incidents. Then, there are the “people”: those who execute the strategy, the “people” who write the processes, the “people” who manage the technology, the “people” who have to comply or flout the “processes”, the “people” who are the target of various phishing emails — phishing emails are when attackers send malicious emails designed to trick people into falling for a scam, typically, the intent is to get users to reveal financial information, system credentials, or other such sensitive data.
In fact, according to Verizon’s 2022 data breach incident report: 82% of data breaches involve a human element, including phishing and the use of stolen credentials. (https://www.verizon. com/business/en-gb/resources/reports/dbir/). This figure is supported by further research conducted by the FBI’s Internet Crime Complaint Center (IC3), whose most recent Internet Crime Report found that phishing — including vishing (fraudulent phone calls), smishing (fraudulent text messages) and pharming (forced redirection to a fraudulent website) — is the most prevalent threat.
So, what are some ways to manage the human threat in your organizations? There are several ways, but I will focus on three in this article.
• Training your users – There is a difference between user awareness (which we do to tick compliance boxes) and training. If we had a small fire incident for example, a user who is “aware” may know where the fire extinguisher is, but they may not save the day if they do not know how to use it to put out the fire. However, the trained user not only knows where the fire extinguisher is, they also know how to use it, in order to put out the fire. Conducting 30-minute-long generic user awareness session or e-learning is a good starting point, but that has to be a part of a more elaborate training calendar for staff of the organization on cyber risk. These trainings must be bespoke and vary for procurement, finance, legal, HR, IT, executive management and so on.
• Understand your users – We talk a lot about asset categorization, which means know what your high value information and low risk assets are within your organization. High value refers to systems that act as a warehouse for sensitive information, information that should it be compromised during a breach would have catastrophic consequences for your organization. Low value refers to systems that should they be compromised, the impact on the targeted organization would not be major. We need to apply the same concept to people. Who are your most naïve users? Who are your high-risk users, based on empirical data? And in comparison, who are the users with access to your organization’s most sensitive systems? The users who should their credentials be stolen by a malicious user, the consequences for your organization would be severe?
When it comes to cybersecurity education and training, the approach to training a user with access to your organization’s highly sensitive systems cannot be the same as the approach taken when training a user whose access is limited to non-sensitive information. Similarly, if you invest in technology which monitors the activities of your users, the level of observation cannot be the same for these two types of users. Therefore, it is vital that you properly categorize your users.
• Test the users – Simulating various cyber-attack scenarios (aka: an incident response plan) is not something to take for granted or something that can be ‘outgrown’. If you were to suffer a cyber breach today: Do your users know their role? Who should talk to the press? When speaking to the press what should be said and when should it be said? Who is to contain the issue? What is the isolation process? What is the first thing I do if I suspect that I have been hacked? Testing and running real life scenarios, without pre-informing the users being tested, will give you actual figures and data which you can then leverage into improving your cyber program.