Employee cybersecurity habits: When will companies learn?
Data breaches are frequent and costly, yet little is being done to improve employee cybersecurity habits.
Never a week goes by without news of a major data breach: 60 million USPS users; 40 million credit cards used at Target stores; 500 million Marriott users. Gigabytes upon gigabytes of data dumped onto the internet for all to see. And these are just the ones you hear about.
The scale is rather astounding. A study by the Identity Theft Resource Center and Cyberscout published a report in which the number of data breaches in the U.S. alone reached 791 in the first half of this year. That’s more than 4 per day. Extrapolate that to the wider world and, well, you get the idea.
What gets lost is just how expensive these breaches are for the companies involved. A study by Ponemon put the average direct cost of a data breach at $3.26 million. Indirect costs like settling lawsuits and repairing technology increase that number further. And what they don’t have to pay in dollar terms, they pay for in loss of trust and reputation. You’d think companies would care enough about losing that kind of money to shore up their data security, but they apparently have better things to do.
If you’re wondering why these breaches are so common, it’s instructive to look at the value of the data being stolen. Credit card details are valuable, so are email/password combinations (because they can be used to attack high-value targets like your email and social media accounts). So if that data is relatively easy for an attacker to get at, chances are they will. This is what’s called “low-hanging fruit.”
There’s also the question of how these breaches happen in the first place. There isn’t one simple answer. Breaches are a result of a host of security flaws. But there is one that should be talked about a lot more than it currently is because it is one of the easiest ways to breach a company’s system: poor cybersecurity habits of employees.
Defence in Depth
One of the maxims of cybersecurity is that no one solution will protect you from all threats. Security, instead, must be designed in such a way that if one particular line of defence breaks, there will be another one acting as a backup. The assumption being that a line of defence will be breached at some point, so you better have a contingency plan. This concept is called “Defence in Depth.”
A simple example is how you choose to physically protect your mobile phone. That you carry it with you is the first line of defence. The second would be adding PIN-code protection (or fingerprint or pattern or password) so that if someone were to steal your phone, it would be a bit more difficult to access. The third would be a remote wipe function. Someone could steal your phone, crack your PIN-code, but not get access to any data. You can see that only carrying your phone with you leaves your device open for exploit if it were to be stolen.
Attackers, therefore, look for the weakest link in a system. There is no sense in trying to breach a strong defence if there is an unlocked back door that can be used. You can have all the firewalls and encryption you want, but if the password to your database server is 123456, then it renders your entire security plan useless.
Looking back at history, the Maginot Line comes to mind as the perfect metaphor. The French thought they had an impenetrable line that would thwart or deter a German attack. Sadly, the infamous line didn’t extend all the way to the English Channel — French and British forces were to be the barrier instead. The Germans, of course, found the weakest link and smashed through the French line at the Ardennes forest, rendering the entire Maginot Line useless.
It doesn’t matter how strong you think you are. You’re only as strong as your weakest link. The problem is that humans are almost always the weakest link.
The Weakest Link
The Target hack, if you would believe, happened because the computer of an employee at an HVAC company contracted to by Target was compromised. You see, the company had access to Target’s network so they could do remote HVAC maintenance. So when the computer was compromised, it was used by the attackers to access Target’s network. Malware was then installed on the PoS terminals at the stores, and the rest is history.
This scenario has played out a number of times. Attackers are quick to identify humans as the easiest targets. It’s no surprise why. We still continue to click links that we should find suspicious, we write our passwords in plain text in .txt files, we choose easy passwords like 123456 and repeat them across multiple services, and we generally understand very little about how to actually protect ourselves and, in turn, our companies. All an attacker needs to do is trick us once.
You’d think companies would be more attuned to this. Instead, they try to throw half-hearted security measures at the problem to try to make up for the fact that employees will be breached at some point. Rarely is it ever enough. It’s like putting a bandage on a broken leg. Other companies claim that they aren’t big or important enough to be attacked; that they have nothing of value to be stolen. The thing about that is that one day they might be. When that time comes, all those bad cybersecurity habits will be deeply ingrained.
And then there are those that say it’s too expensive to implement security measures. Security is much like insurance in that sense: you only need it when something bad happens. But oh how happy you are when lightning strikes and you do have it.
The sad thing is that teaching proper personal cybersecurity habits isn’t expensive or even time consuming. There’s really no excuse not to do it.
Convenience vs. Security
Humans search out convenience. We avoid taking proper security measures because they aren’t convenient. Remembering a 30-character password is hard, let alone a different one for each of a hundred online services. Same with checking the veracity of links or keeping software updated. If it’s too hard or takes too much time, people just won’t do it.
Product managers and software engineers have tried to make security more convenient. They’ve introduced thumbprint authentication, automatic updates, browser warnings for potentially malicious sites, and password managers. Some, like thumbprint authentication, have raised their own security concerns. The convenience of pressing your thumb against your home button is great, but what happens if your thumbprint gets stolen? It’s not something you can easily change, unlike a password.
Password managers, on the other hand, have been a boon for both security and convenience. The idea is that you can create unique, complex passwords (that you don’t need to remember) for all your services while only needing to remember one master password. In theory, people should have better luck remembering one difficult password, so password managers can be an effective tool. (If your master password is weak, however, then a password manager can be quite dangerous because that weak password provides access to all of your other passwords.)
What Can Companies Do?
Good company cybersecurity habits start with education. Employees need to know concepts like spearfishing and clickjacking. They need to learn how to spot malicious links, recognize phishing sites, and the importance of software updates and multi-factor authentication. Password managers should be mandatory to prevent password re-use and increase entropy, but that should also be paired with teaching how to use them properly.
None of these things requires even moderate technical knowledge, and they can be taught without the need for a cybersecurity expert. The internet has a plethora of resources that cover everything an employee needs to know in a way that is easy to understand. Those that want to go further will find plenty of useful content as well.
You will never be able to prevent 100% of attacks, but instilling good cybersecurity habits in your employees will move your “fruit” a little higher up the tree.