The human factor – the biggest information security threat lurks within your organisation

By Simeon Tassev

Johannesburg – While organisations may have sophisticated information security systems and controls in place, the human factor continues to play a major role in making businesses across the globe vulnerable to attack –intentionally or not.

Humans have always been the weakest link in information security, whether it comes down to not following the right process, or consciously bypassing existing security control. This means that organisations’ security environments may not be as effective as they’d like to think.

According to a recent global study conducted by Kaspersky Lab and B2B International, 52% of businesses believe they are at risk from ‘within’. In addition, respondents identified the top three information security fears as issues related to the human factor such as employee behaviour.

Organisations in South Africa usually have a variety of security measures in place, depending on their maturity. Typically, enterprises have two main types of controls in place – boundary protection and endpoint security.

However, the complexity of the information security landscape and the growing sophistication of cyberattacks mean that these two basic controls are far from effective. Furthermore, as a large number of employees are now working remotely, an organisation’s boundaries are no longer easily distinguishable. With cloud-based technologies, these boundaries become even more vague.

Traditionally, companies would have a Local Area Network (LAN) to which various devices are connected and where different systems or applications reside. Employees would connect to these once they arrived at the office.

Drastic different

But that has changed drastically. Most companies now have some cloud-based solutions, irrespective of whether it’s email or collaboration type services, Software as a Service (SaaS) or Platform as a Service (Paas) that employees can access remotely.

All this different cloud-based infrastructure now forms part of the modern IT landscape, and adds complexity and vulnerability to the environment. While many companies were already on a path to digitisation to allow more users to connect remotely, this trend was rapidly accelerated by the COVID-19 pandemic.

This has significantly expanded organisations’ attack surfaces, further exposing them to cyberattacks. Attackers can use a tool to scan a range of networks and identify vulnerabilities. In most cases, they will target visible users who use a permanent connection and fast Internet link to attack an organisation’s network.

It becomes a question of ensuring that organisations have the necessary controls in place to protect their environments. However, human behaviour is a lot more difficult to control and defend against, and employees are typically still susceptible to phishing and impersonation attacks.

While there is a variety of technologies that can be used to assist in mitigating human error, no technology exists that will make an organisation completely human proof. Regardless, there are programmes and controls that organisations should be implementing.

Enforce policies

As a starting point, companies need to enforce policies around endpoint protection and encryption. Beyond that, they can implement controls such as application white listing that allow organisations to control what can and can’t be loaded on a user’s device.

Furthermore, companies should also consider implementing controls for data leakage protection and change detection control, as well as technologies that scan check email contacts, links and attachments for malicious content.

However, many of these measures can be bypassed by employees, so the most effect weapon an organisation can have is a strict security awareness programme, coupled with training and simulations that will ensure that employees know what to do in the event of a potential attack.

Essentially, it comes down to trying to understand the landscape within the organisation and what the potential risks are in terms of humans and trying to mitigate those, while also ensuring that as many preventative controls are in place as possible.

To mitigate the human threat, companies need to stay alert and expect to be attacked, while at the same time being proactive and having information security awareness programmes in place. Lastly, enterprises should align themselves to international standards and engage with the right experts if they need help.

Follow @SundayWorldZA on Twitter and @sundayworldza on Instagram, or like our Facebook Page, Sunday World, by clicking here for the latest breaking news in South Africa. To Subscribe to Sunday World, click here.

Sunday World

Latest News