Human Error: The Weakest Link in Cyber Security

May 2, 2018

Image

Human Error: The Weakest Link in Cyber Security

James Burns, Cyber Product Leader, CFC Underwriting provides his view on what the weakest link is within Cyber Security.

Since the dawn of the internet, cyber fraud has continued to grow year-on-year-on-year. In 2015, the Office for National Statistics included fraud and cyber offences into its reporting – which saw figures soar to show a 107% increase in crime, against the previous year’s data. Whether targeting consumers or businesses, would-be cybercriminals are getting smarter, looking for weak links and tapping into known vulnerabilities in the hope that they’ll catch someone with their guard down at the right time.

In the Hands of Humans

When it comes to cybersecurity, humans continue to be the weakest link for businesses. The number of reported phishing cases has been steadily increasing, with many people being tricked into clicking on malicious links, which appear to come from authoritative sources, leading them to transfer funds to fraudulent accounts.

Careless practice online effortlessly plays into the hands of opportunistic attackers. Whether employees are falling for elaborate phishing scams, insecurely disposing of sensitive information, failing to install recommended fixes or leaving mobile devices unencrypted (and then on public transport!), the vast majority of cybersecurity mishaps can be traced back to human error. Smaller businesses are likely to feel the impact of this much more keenly than bigger businesses, who will generally have large IT teams in place to implement security measures, as well as training staff in how to spot and report malicious activity. A recent survey we ran amongst UK SMEs revealed that more than a quarter of SME staff lack cyber-specific security training.

Making Mistakes

Aside from ransomware and data breaches, another specific type of cybercrime that we are tracking is Business Email Compromises (BEC). From a hacker’s perspective, the allure is clear – they’re often cheap and easy to implement, while being hard to detect, and often offering a good ‘return’.

A tried and tested model for attackers is to target  companies that send money via international wire transfers, and then go on to use social engineering to commandeer bona fide email accounts. This allows them to create authentic-looking personas to syphon off funds into bogus accounts. Just one wrong click from an employee, and security is compromised to disastrous effect.

Training comes first

To counter this threat, staff at every level should be trained to be vigilant for email scams, which might be identified by irregularities in corporate style, incorrect spellings, unusual greetings and address anomalies. Other precautions include tightening up wire transfer etiquette, introducing the need for telephone verification of money transfers and, above all, multi-factor authentication.

In 2016, we looked at our own claims data, revealing that over a third of our cyber insurance claims could have been avoided through better staff education and training on cyber risks. Two years on, and many organisations are still in the same position with little expert understanding of how to protect themselves in a connected digital world.

Catching criminals

The steep increase in cyber-crime has left Britain’s anti-fraud police unable to cope - there have been almost three quarters of a million cybercrimes reported in the last twelve months, yielding billions for the perpetrators. Online anonymity, and global connectivity mean that the likelihood of a cyber-criminal getting caught is virtually non-existent. They can execute their attacks without ever stepping foot in the building of the company they look to exploit, or even the same country.

With cyber-crime likely to escalate to previously unthinkable levels, it’s more important than ever that business owners and employees surround themselves with the technology, understanding, and specialist partners that they will need to adequately protect valuable assets and secure data. No business, large or small, can afford to ignore the emerging ‘industry’ of cybercrime. It’s strategic, it’s organised, it’s adept at adapting quickly to change, and it’s wise to the weak or blind spots of its prey. A powerful nemesis.

Contact Us

+44 (0) 203 725 6841