The Human Factor in Cybersecurity

Posted by rheat001 on

Date: 4/15/2024

BLUF

Cybersecurity encompasses two aspects of consideration: the system and the user. The user also plays three roles: the gatekeeper, the threat, and the victim. These roles present quite a complex challenge in establishing an organization’s Cybersecurity posture that protects data through established protocols and policies. This write-up will cover the ways humans impact Cybersecurity in general.

Data and the User

The human factor in cybersecurity refers to people’s role in safeguarding digital systems and data, as well as the vulnerabilities they introduce due to errors, ignorance, or malicious intent. Despite technological advancements, humans remain one of the weakest links in cybersecurity. The areas of cybersecurity in which humans present problems are information security concerning phishing attacks, weak passwords, lack of training, and disgruntled attitudes toward policy, system maintenance, and personal technology.

Phishing Attacks

Cybercriminals often use social engineering techniques to trick individuals into revealing sensitive information or clicking on malicious links. No matter how advanced the security measures are, if someone falls for a phishing email or message, it can compromise the entire system. Attackers making digital correspondence look official can oftentimes scam users by taking actions such as clicking on links in emails and forms to obtain information that could reveal vulnerabilities to sabotage systems and organizations. Organizations will also have to integrate mitigations to improve the organization’s resilience against phishing attacks whilst minimizing disruption to user productivity (National Cyber Security Center, 2018).

Weak Passwords

Despite repeated warnings, many people still use weak passwords or reuse passwords across multiple accounts. This makes it easy for attackers to gain unauthorized access to systems by simply guessing or cracking passwords. Weak passwords account for 25% of all cyber breaches using compromised credentials. Threat actors use tools like Brute-Force attacks to aid them in obtaining unauthorized access to systems. Although organizations can implement protocols for a user to change their password on a timed interval (e.g., every 60 to 90 days), too, often, users will only update a character or change a symbol to bypass the requirement for changing the password. Cybersecurity impacts of weak passwords Unauthorized access, account takeover, data breaches, identity theft, financial losses, reputation damage, and legal consequences (Swisher, 2024).

Lack of Awareness

Many cybersecurity breaches occur due to employees’ lack of awareness about basic security practices. This includes clicking on suspicious links, downloading un-scanned attachments from unknown sources, or inadvertently disclosing sensitive information. Training can reduce the impacts that unaware users can have with regard to unsafe digital practices.

Insider Threats

While external threats often receive more attention, insider threats can be just as damaging. Employees with access to sensitive data may intentionally or unintentionally misuse their privileges, leading to data breaches or sabotage. According to a Harvard Business review article, “The most effective strategy for defusing the cyber threat posed by insiders is to use the protective technologies available and fix weak points in them, but focus ultimately on getting all insiders to behave in a way that keeps the company safe. People need to know what behaviors are acceptable or unacceptable” (Creese, 2014).

 

Unpatched Systems

Human negligence can also lead to unpatched or outdated systems, leaving them vulnerable to known exploits and attacks. Failure to install updates and security patches promptly increases the risk of a successful cyber attack. At my current job, where I write requirements for information systems, one of the biggest threats is the legacy systems that are yet to be replaced and are under-maintained by the system admins. Information assurance vulnerability alerts govern our administrators; an IAVA is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by US-CERT. If a system admin is diligent and proactive in checking these notifications and executing the proper steps necessary, an organization like mine can limit some risks that older systems have until replaced (e.g. SCADA).

Ghost Network Alias PED

Personal Electronic Devices (PEDs) are a problem that corporations have to contend with, either by allowing them or having zero allowance to avoid self-created threat vectors. Organizations face additional security challenges with the increasing trend of employees using personal devices at work. These devices may not have adequate security measures, making them susceptible to malware and other threats. Allowing these PEDs to join a network, a.k.a Ghost Networks, can be a problem. As CIO, I would think extensively about how to provide an avenue of access for my employees to use a segmented or contained infrastructure path that was cost-effective and allowed a good work-life balance.

Conclusion

Addressing the human factor in cybersecurity requires a multi-faceted approach that includes education and training, implementing strong security policies and procedures, enforcing least privilege access controls, regularly updating systems, and fostering a culture of security awareness within the organization. Ultimately, cybersecurity is not just a technological issue; it’s also a human one that requires attention at all levels of an organization.   

References

Creese, D. M. (2014, September 1). The Danger from Within. From Harvard Business Review: https://hbr.org/2014/09/the-danger-from-within

Fortinet. (2024). Fortinet. From fortinet.com: https://www.fortinet.com/resources/cyberglossary/authentication-vs-authorization

National Cyber Security Center. (2018, Feburary 5). Phishing attacks: Defending your organisation. From National Cyber Security Center Guidance: https://www.ncsc.gov.uk/guidance/phishing

Pratt, M. K. (2022, August 2). The importance of data security in the enterprise. From techtarget.com: https://www.techtarget.com/searchsecurity/feature/The-importance-of-data-security-in-the-enterprise

Swisher, J. (2024, February 23). How Weak Passwords Expose You to Serious Security Risks. From Jetpack: https://jetpack.com/blog/weak-passwords/#:~:text=Weak%20passwords%20open%20the%20door,legitimate%20user%2C%20or%20disrupt%20operations.

Leave a Reply

Your email address will not be published. Required fields are marked *