Current Filter: Network>>>>>Feature>

   

The hardest part of any hack is gaining access to your target's network. Nowadays systems are more secure than they have ever been thanks to complex firewalls, intrusion detection systems, audit logs, and other technical controls that provide a level of security that has not been previously seen. But what happens when a hacker can simply step around these security features?

Back in 2008 a USB storage device was left in the parking lot of a US Department of Defence facility in the Middle East. An overly curious employee of the facility found it and plugged it into his laptop leading to one of the biggest cyber breaches the US government has ever seen.

The unpredictability of human behaviour establishes an inherent risk into any system, one that technical controls alone can rarely mitigate. This US Government breach is just one example of hackers successfully using humans to gain access to secure systems and a quick search reveals many more.

But this risk can be mitigated. More recently DSM, a Dutch multinational chemical company, reported a similar attempt of network breach. Again a USB device was left in the car park at one of their offices, but the employee who picked it up handed it straight into IT where it was found to be loaded with malware.

In today's world everybody shares responsibility for each other's safety in the work place. Companies ensure mandatory health and safety training is undertaken by every employee, from the CEO down to the work experience interns on short placements. Is there not a parallel to be drawn between this and cyber security?

After all, one mistake by an employee, one wrong click, can lead to a breach that may leak the details of every employee in the company - and the cyber risk introduced by both the CEO and the intern's use of the corporate network has a potential impact that stretches far beyond them. So it seems reasonable that the established shared responsibility for each other's physical safety in the workplace should also extend to each other's cyber safety and security.

Employees need to be made aware of this and encouraged. Just like health and safety training, company-wide cyber training and awareness programmes needs to be developed and delivered to mitigate the cyber risk. And just like health and safety training, security training should be more than just learning about facts. Security training must change people's behaviours.

Companies need to create a culture of security. In the same way that a person may be challenged for blocking a fire escape with a cardboard box, a person should be challenged for not wearing their company ID. Security needs to become business as usual, part of the daily routine. Individual employees should be aware of the risk to themselves and their co-workers of using unencrypted USB sticks, or of the risk that an unknown USB stick could present. It needs to become the norm to verify emails before links and attachments are opened.

In order to achieve this, security training has to be structured, measurable and frequent. Awareness programmes need to be put in place with full support from senior management. Cultures of blame need to be removed and replaced with cultures of development. Every employee that has access to the corporate network, whether they are IT professionals or administration staff, needs to be included in training and awareness programmes in the same way they are included in health and safety programmes.

People and human error are an inevitable and inherent risk in any system. This risk can however be contained - but it needs to be given awareness and backed by training. Ultimately, cyber security is everyone's responsibility. NC