2017 is shaping up to be the year of the cyberattack. The first half of the year has already seen the world baited with a global phishing scam and brought to tears by the WannaCry ransomware offensive. Meanwhile, more targeted strikes exposed proprietary data of corporate power players such as Chipotle. Even organizations yet to fall victim to cybercrime have been forced to reassess their IT infrastructure for potential vulnerabilities in light of the recent onslaught. While the magnitude and frequency of digital deviance clearly indicate a systemic problem in cyber security, RainKing’s preliminary findings suggest that information security solutions may not be as deficient as the hacks make it appear. Simply put, in many organizations, the problem is the people.
While last month’s cyberattack on the British Parliament was widely reported as the latest in a string of crippling security failures to ravage the UK this year, in actuality, the relative containment of the event represents a success for Parliament’s security systems and processes. Only about 90 of over 9000 accounts on the parliamentary network were compromised by the strike. Per a statement issued by a parliamentary spokesperson, the affected accounts were vulnerable “as a result of the use of weak passwords that did not conform to guidelines issued by the Parliamentary Digital Service.” In other words, the organization’s existing security policy successfully thwarted the attack when correctly followed. While Parliament is currently reassessing multiple facets of its security strategy in light of last week’s incursion, the first change made was to increase user account security, essentially restricting the ability of individual users to deviate from organizational policy.
According to RainKing’s recent cybersecurity research, a similar user-centric approach to threat management is fast emerging across industries and continents. In response to the WannaCry attacks, 53% of respondents to RainKing’s security survey said their organizations were investing in security training for employees, compared to only 42% who confirmed plans to invest in additional security safeguards. Additionally, 16% of respondents indicated their organizations were implementing changes to their mobile device policies specifically in response to the recent wave of malware attacks. Should threats continue to materialize at the current pace, many others will likely follow suit. That means less freedom for employees to log on to company networks from any device anywhere, and do anything.
John Clarke, an Application Systems Manager at Ireland’s Belfast Health and Social Care Trust tells RainKing that his organization is in the process of tightening its controls to mitigate user carelessness. “We need to make the user more aware of what’s happening,” Clarke explains. “A lot of them don’t really understand that, and if they get an email, even if it looks suspicious, they still open it, and they start to get hacked.” A UK-based restaurant operator said they have placed a restriction on access to browser-based email platforms like Gmail, requiring employees to utilize their personal devices to go outside the company network.
In other cases, a recommitment to training has yielded early dividends. Mark Kools, Executive Director of IT at Appvion, Inc. has overseen numerous training initiatives for the Wisconsin-based paper manufacturer focusing on threats including data security, malware, and phishing – which the organization confronts on a daily basis. Workers have generally been receptive. “The click rate has gone down dramatically on the percentage of people actually clicking on the tests we send out,” Kools explains. “We’re also seeing our employees are being much more aware of when they see something coming in, to report it to our helpdesk.” Despite the success of such training programs, Kools stresses the importance of a blended approach to managing the human component of security. Appvion requires offsite staff to use company-issued devices to assure uniformity, and a VPN to access corporate networks. With worker sprawl becoming an increasing challenge, such precautions are becoming commonplace across all sectors.
However, addressing the human component of information security involves more than simply restricting rank and file users. Bridget Kenyon, Head of Information Security at University College London sees the reactive inclination of human nature often resulting in backward-looking policies insufficient to meet ever-evolving challenges. “If you’re entirely motivated by the latest trendy threat that has turned up on the news, if all you ever do is react, you’re not going to be able to prevent the new attacks.” Kenyon champions a strategy of proactive minimalism, so as to limit scope of any threat that may infiltrate organizational systems. “If you try to reduce the data that you’ve got to a minimum, and handle it as little as possible, and give the fewest people possible the access that they need, these principles then can influence and adapt processes so that the ability of an attacker to get anywhere is vastly reduced, regardless of the route they take.”
With the news of the Petya ransomware attack currently sweeping Europe, it’s clear that cyber threats will continue keeping IT leaders up at night for the remainder of 2017 and beyond. But much of the consternation will likely come not from their security solutions, in which a vast majority of RainKing’s respondents feel relatively confident, but from employees unintentionally undermining them. Moving forward, solutions that limit users’ ability to circumvent the technology may well become a hot commodity. In addition, service partners able to provide proven and robust security training modules could find their offerings in high demand as organizations struggle to create synergy between man and machine.
Surveys and Data Analysis by RainKing Analytics