As the months, years, and decades pass, the impressive advances in data analytics and network connectivity continue. But as remarkable as these accomplishments might be, persistent and sometimes sinister cyberattacks remain a serious problem.
Powerful hardware appliances, software platforms, and cloud-based mitigation methods have all entered the commercial market. But despite all this ingenuity, it’s the human factor—computer user behavior and cybercrook ingenuity—that stymies progress in network and web application security.
Stubborn Data Breach Rates Continue to Take Their Toll
To prove this point, all you have to do is refer to the latest data breach trends.
- Small businesses are targets. Yes, the screamer headlines describe breaches in global companies. As multinationals learn how to repel cyberattacks, however, the bad guys are focusing on smaller businesses. Companies with hefty cash flows, IP, and other sensitive information are prime targets.
- Each exploit requires fewer steps. Cyberattacks are more efficient than ever. They often start with social engineering, phishing or hacking and move on to a malware step. So, user cybersecurity habits still have a large effect on how well your network can stop an attack.
- Money is (still) the primary target. Seventy-one percent of data breaches involve valuables. Although this can mean money, anything that bad actors can monetize—intellectual property or customer data, for example, might be at risk.
Bad actors have always been attracted to the path of least resistance. Unfortunately, that’s often what users are, the straightest line to cyberattack plunder. Through the years, users have only enhanced this dubious reputation for attracting cybercrooks. They’ve developed bad habits that make their employer’s IT infrastructures vulnerable targets.
The Changing Profile of Cyberattack Risk
As technology and cyberattack sophistication progress, security researchers point to different causes of cyber-insecurity. Here’s a list of attitudes, approaches, and downright bad practices gleaned from the latest Dell Technologies’ End User Security Survey and other sources. It lists some of the causes that undermine the security efforts of IT and security professionals:
- A fatal attraction to public Wi-Fi. Attackers might use these services to execute man-in-the-middle attacks, but 46% of respondents of the Dell survey admitted to not just using public Wi-Fi but using it to access company data.
- Bad email habits. Almost half (49%) of survey respondents said they conduct business with their personal email accounts, an approach that prevents IT and security pros from keeping company data safe. In a variation on the theme of bad security behavior, about 45 percent of Dell respondents acknowledged emailing sensitive files outside their organization.
- Taking information with them when they leave their employer. About 35% say it’s routine to take data with them when they leave their jobs for other companies.
- Viewing security as somebody else’s problem. Yet another cybersecurity worst practice is the fact that 35 percent of Dell survey respondents didn’t see a connection between their company’s security challenges and their own behavior.
- Four more ways that human nature can trump best practices.
User security overconfidence. Only about one in five respondents (22%) worried that they might cause a cyberattack or other security disaster.
Failing to take training principles seriously. Employers of most Dell survey respondents (63%) required their employees to attend cybersecurity awareness and readiness training. However, about one in five respondents (18%) engaged in unsafe behaviors after training, without realizing their security mistake.
Users feeling entitled to access privileges that exceed their work requirements. Especially at the top of the corporate hierarchy, expecting system-wide access for user convenience is a familiar and potentially harmful request.
Putting gut feelings ahead of policy. Employees sometimes choose to go with their intuition instead of sticking to company policies. About 23% of those surveyed said they would share company data if the risk was low and benefits were high.
This isn’t a complete list, but it does serve up both familiar and more nuanced causes of cybersecurity trouble. Unfortunately, being able to identify causes still hasn’t beaten back stubborn data breach rates.
What Cybersecurity Specialists Should Do
Nevertheless, there are still many ways to battle the users’ bad habits, negligence, and apathy.
- Just say no to entitled users. It’s hard, but that’s no reason to expose your company’s attack surface to the bad guys. CISOs should work actively with executives, managing system administrators, and other stakeholders to educate users on the role that persistent administrative access plays in damaging company web sites and networks.
- Design tools that nag users more aggressively. Is this a strange, some would say bizarre, way to prompt users to best practices? You bet. Would browser developers have the stomach to do this? Perhaps not. But at the company level, moving the dial from “SUGGEST” to “MONITOR AND PESTER” users might convince them to get serious and choose better behaviors.
- Educate users to refuse to accept their browsers’ request to remember passwords. Enterprise password management systems offer the most effective way to combine user convenience and maintain strong, unique, and complex passwords.
- IT and security specialists might acknowledge that some interactions are always insecure and should therefore be isolated by design. This approach would include virtual or physical isolation of internet browsing and email containers, for example.
To combat both old and new causes of cyberattacks, advanced security solutions should monitor use patterns and consistently enforce the basic security capabilities described above. Automated operation makes defense more efficient and provides a logical alternative to gut instinct and bad habits of mere mortal users. And cost-effective cloud services can help companies of any size reduce the risks of fast-changing IT security environments.
