In the first of his regular new information security columns for Security Middle East, Daniel Norman senior solutions analyst at the Information Security Forum (ISF) looks at how criminals exploit the ‘accidental insider’.
It is clear that technical controls and wider investment in preventative controls can only do so much when it comes to preparing individuals to manage the threats posed by their own behaviour.
Daniel Norman, Senior Solutions Analyst at the ISF
Profiling and understanding key threats posed to an organisation is a core component of security. For too long, organisations have focused on traditional threat actors, such as nation states, organised criminal groups and malicious insiders that are typically well funded or highly motivated to cause harm.
In stark contrast, the most prolific threat to any organisation actually comes from inside the business. It enters the organisation surreptitiously, without any intent to cause harm, in the form of “accidental insiders.” These are employees that either make a mistake in their job or daily life that results in a security incident or provides an attacker with an opportunity to compromise. Organisations across the globe experience thousands of security incidents daily that could have been avoided by individuals that never meant to cause direct harm in the first place.
In 2019 the number of data breaches caused by human error grew from 88% to 90% highlighting that even with no real motivation to cause harm, employees can have a significant negative impact on organisations. Interestingly, anyone in the business can be an accidental insider – from C-Suite executives to secretaries, humans all have a range of psychological vulnerabilities that can lead to errors being made and thus triggering a security incident; errors such as sending an email containing sensitive information to the wrong address, not challenging a person if they enter a building without the right credentials, or leaving a company device on public transport, can all cause significant financial, operational or reputational damage to a business. As demonstrated by a number of global attacks, all it takes is one small mistake to grow into a large data breach or incident, so why are so many organisations still struggling to combat this threat?
Currently, many enterprises take a technology-centric approach to security, implementing CCTV, user behaviour analytics, firewalls or perimeter fencing, but these capabilities do little to protect the business against the accidental insider. What is currently missing across many organisations is a human-centred perspective of security, understanding human behaviour and the types of situations or techniques that trigger an individual to make an error.
Human behaviour is complex and can be influenced and manipulated in a range of ways – all humans have fundamental psychological vulnerabilities that can manifest during times of heightened pressure of stress and will impact the decision-making process in real-time.
During these situations, employees tend to make quick, subconscious decisions, without rationally thinking about the consequences of their actions. Individuals will act on impulse, taking mental shortcuts to finish a task in the fastest time possible. For example, subconscious decisions can manifest when given a time constraint to finish a job for your boss, being stuck in traffic or having a personal problem at home. These situations can occur naturally without the influence of criminals and result in a higher likelihood of mistakes being made.
For millennia, attackers have also been using subversive and manipulative techniques to evoke certain responses from their targets. As humans entered the digital era, the attack techniques became more sophisticated, cost-effective and expansive, enabling attackers to target individuals or groups at scale. For example, attackers can perform spear phishing campaigns, which are targeted communication techniques, establishing credibility online with their targets to extract valuable information and persuade them that their requests are legitimate. Using advanced technology attackers can perform these attacks using email, text messages and social media, meaning that employees can be approached and targeted at any time of the day. The believability of these attacks are frightening and without the right training and tools at their disposal, employees will always be vulnerable.
Knowing the techniques attackers use to manipulate outcomes and the detrimental situations employees may find themselves in should be integrated into security awareness across an organisation; training individuals to better manage their own stress levels is also an imperative. Security awareness, training and education must not be understated and must not have budget reduced in place of more glamorous technical solutions.
It is clear that technical controls and wider investment in preventative controls can only do so much when it comes to preparing individuals to manage the threats posed by their own behaviour. Historically, human behaviour has caused significant damage to organisations, so a more progressive approach to managing these threats is needed. Once security is understood through the lens of psychology and behaviour, organisations will be better positioned to manage and mitigate the risk posed by human vulnerabilities.