Human error plays role in 95% of data breaches

The 2021 IBM cyberthreat intelligence report makes for tough reading. Among the trends tracked, ransomware continues to be the number one threat accounting for 23 per cent of security events. Another interesting statistic in the report is that human error plays a role in 95 per cent of all successful data breaches.

Colm Murphy, senior cybersecurity adviser with Huawei, states the obvious – everyone needs to be trained.

“There are various degrees of training,” he says, “but it is essential that everyone across the organisation receives some level of training. People at all levels need to have a reasonably sophisticated appreciation of security risks, how to identify them, how to protect the company, who to call – even what to do if you are the person that clicked on something that in hindsight looks fishy.

“People don’t just work 9 to 5; they are often interacting with systems through their phones and laptops. The threats don’t exist during working hours, they carry on to personal and family time, so everyone needs to be aware of potential risks.

Murphy goes on to make the point that this awareness goes all the way to the top. He points out that it would be unheard of for board members to be unfamiliar with finance or spreadsheets.

“It’s the same with cybersecurity. From board members to receptionists, everyone needs to understand the risks.”

Gillian Bergin, chairperson, It@cork Skillnet, holds similar views:

“Everyone in the organisation needs to be trained on cybersecurity, with different levels of detail and depth depending on their role. But everyone needs at least a basic knowledge and understanding of cybersecurity risks and their role in keeping themselves, their organisation and their customers safe,” she says.

Training

It@cork Skillnet has undertaken comprehensive research into this topic and looked at international reports as well as the Ireland context. The resulting cybersecurity skills report indicates a significant growth in the demand for training for (non-technical) senior managers over the next 12 months.

“What is very clear is that all stakeholders need ongoing, agile and relevant training both within organisations and across the public/consumers. Employees are a key resource that can stop cybercrime but other stakeholder groups like boards of directors and executive management have unique and different cybersecurity training needs,” Bergin says.

She suggests that everyone asks, “have we considered cybersecurity here?” when designing solutions, processes and products.

To that end, she advocates a leadership course run by It@Cork Skillnet in conjunction with the IMI, the Leadership Development programme, which is aimed at people becoming managers for the first time during the pandemic. The course trains delegates to ask the right questions for today’s highly connected and dynamic world or work, some of which are around cybersecurity and data privacy.

Murphy also recognises the balance between breaches and prevention at source.

“For a breach to occur, typically two things need to happen. One is that a human makes a mistake, clicks on a link, visits a hostile site or makes some action that they probably shouldn’t have done. That action can result in a payload or executable to run on the company’s servers.

“But on the flipside, breaches can occur by exploiting bugs or vulnerabilities in existing software. So there needs to be training for the people writing the code as well. Here in Huawei, we have gamified the process of continuously testing software which makes it easier.”

Ongoing process

Murphy explains that training software developers is an ongoing process – they need to take regular examinations to ensure they understand what secure code looks like and how to minimize or reduce any potential vulnerabilities.

Whether or not an organisation opts for internal or external IT teams, there are some core internal jobs to be done. Murphy explains: “The IT team should be responsible for defining policy and having that approved at board level prior to executing it into the organisation.

“And again, every single individual needs to be trained to do the right thing – remember, the attackers only have to be successful once or twice to get lucky. Policy can’t sit on the shelf – it has to be implemented. But while it is everyone’s responsibility, it falls to the IT folks to tell people what to do.”

This vigilance extends to the new way of working – WFH or Working From Home.

‘Zero trust’

“We operate a zero-trust culture,” says Murphy. “Remote workers are accessing systems all over the place. Companies need to act as if any connection to any system is from an untrusted place and to put in appropriate measures. The pandemic has just accelerated this approach.

“It’s important to stress too that it’s not a question of if there is a hack but when the hack occurs. Eventually something somewhere will go wrong, and you need to be able to handle it and to respond in a kind of sophisticated way to contain the attack, to ensure it doesn’t spread and ultimately to deal with your resulting legal and regulatory obligations.”