<div dir="ltr"><a href="https://gcn.com/articles/2016/12/07/cybersecurity-human-factors.aspx">https://gcn.com/articles/2016/12/07/cybersecurity-human-factors.aspx</a><br><p>Cybersecurity experts repeatedly warn about the growing number of
sophisticated malware and hacker attacks against IT infrastructure and
data. Organizations can’t control the bad guys, and the criminals are
getting better. However, rudimentary attention to security threats can
go a long way toward protecting systems and data.</p>
<p>The human factor plays a critical role in how strong or weak an
organization’s security defenses are. Be alert to the six most common
human-factor mistakes that can lead to deadly security breaches.</p>
<p><strong>1. Awareness</strong></p>
<p>It’s not just rogue employees who compromise agency defenses with
insider information. Out of ignorance, even the most loyal, hard-working
employees can make mistakes that cost the agency dearly. For example,
simple phishing attacks can be launched by opening emails from unknown
senders, clicking on links and downloading attachments, after which they
deliver malware onto a computer or convince a user to give up
passwords. About a quarter of recipients open phishing emails, and 11
percent click on attachments. How can we keep this from happening?</p>
<p>The first lesson to convey to employees is the extreme importance of
security. Are employees aware of the criticality of the data they deal
with every day? Do they understand the necessity to comply with
data-privacy regulations and what it might cost the agency if they
don’t?</p>
<p>Once employees are aware of the requirement for security and their
critical role, they must be warned about using unauthorized websites and
shadow IT tools and shown how their daily activities can lead to
undesired endpoint or network penetration. And these lessons must be
reinforced periodically to ensure that they are not forgotten.</p>
<div class="gmail-ad">
</div>
<p><strong>2. Time constraints</strong></p>
<p>Often lacking sufficient budget and headcount, security staff are
overburdened. Given all the pressure to “get everything done,” sometimes
things just don’t get done correctly.</p>
<p>Misconfiguration of a tool and neglecting to follow security policies
to the letter are regular mistakes. So is spinning up a certain
service, such as a container, a proxy or monitoring tool, but forgetting
to secure it.</p>
<p>Still another consequence of time pressures can be forgetting to
update security patches or not updating them on time. About half of IT
professionals see outdated security patches as a problem and cite human
error and patch management as stumbling blocks to making web apps
totally secure.</p>
<p>Cutting corners may sometimes be a good way to get the job done
quickly, but it also makes way for poor security. Security managers must
keep their teams on their toes. And when they undertake to respond to
an incident, they must see it through to its final resolution.</p>
<p><strong>3. Passwords</strong></p>
<p>While hacking and malicious attacks are often the top concern for
protecting an organization’s data, often it’s the weak or lost password
that proves to be the Achilles’ heel that leads to disaster.</p>
<p>Protected only by weak passwords, laptops, tablets, cell phones,
computers and email systems offer up little defense against the
committed hacker who can easily obtain subscription information,
personal, financial and health information as well as sensitive business
data. IT departments will go a long way to enhancing security by
implementing policies that enforce use of strong passwords on all
devices.</p>
<p>Another password vulnerability is employees’ tendency to use the same
password (or even the same set of passwords) for both work and home. If
a home network is breached, there may be little damage that an attacker
can do, but if the attacker can extract passwords from a home computer
(or personal smartphone) and use them as a springboard to launch attacks
against the enterprise, devastation can ensue.</p>
<p><strong>4. Friendly outsourcers, vendors and partners</strong></p>
<p>As technology becomes more complex, companies increasingly rely on
outsourcers, vendors and partners to support and maintain systems. These
third parties typically use remote access tools to connect to the
agency’s network, but they don’t always follow security best practices.</p>
<p>Organizations must trust their contractors and vendors. However, even
partners with benevolent intent can leave their customers open to
attack. Third-party threats increase exponentially if unvetted partners
are allowed to access an organization’s network.</p>
<p>Agencies must be certain that their trusted partners and vendors
follow best security practices, such as enforcing multifactor
authentication, requiring unique credentials for each customer and
creating a comprehensive audit trail of all remote-access activity.
Third-party accounts should be disabled as soon as they are no longer
required, and login attempts using these accounts should be monitored.</p>
<p><strong>5. Alert fatigue</strong></p>
<p>Alerts signal a potential problem that might require immediate
attention, but if alerts are frequent and coupled with a high
false-positive rate, they lose their power. About a third of
cybersecurity professionals face more than 10,000 alerts every month,
and more than half of the alerts are false positives.</p>
<p>Alert fatigue occurs when security personnel are exposed to a large
number of security alerts and become numb to them, which can cause
increased response times and missed alerts. </p>
<p>For the security team, the number of false alarms belies the actual
problem. Alert fatigue leads to a loss of confidence in security tools.
Over time, the sensitivity threshold falls to a point where all alerts
are suspect, and actual security becomes almost non-existent. When the
real thing happens, nobody recognizes it.</p>
<p>Cybersecurity incident response teams are dealing with their own
version of alert fatigue. After investing in state-of-the-art systems
that detect potential attacks and sound alerts, the extremely high rate
of false positives undermine the value of the detection systems.</p><p>Hiring more personnel is not the answer. Attacks are increasing
exponentially and agencies cannot keep up just by throwing more people
into the fray. Arming staffs with the best technology -- one that
provides accurate alerts with no false positives – is a much better
approach. Deception-based solutions, for example, fall into this
category.</p>
<p><strong>6. Routine</strong></p>
<p>Most organizations are very good at preparing for a targeted event.
Security teams will be on high alert when the latest advanced persistent
threat is published or a new zero-day attack is discovered. But once
the danger has passed, teams tend to fall back into a routine, let down
their guard and can miss a new attack.</p>
<p>Be on guard against routine. Re-allocate tasks. Give your security
team training in the latest technologies and tools. Keep the environment
fresh and dynamic.</p>
<p>Everywhere, networks and data are under attack. This is war! In order
to defend their agency assets, cybersecurity professionals must rely on
every means at their disposal. These days, while we tend to focus on
technology and expertise to spearhead our defenses, we must not overlook
the simple, internal steps we can take to reduce our attack surface and
to make every employee a soldier in our battle against cyberattacks.</p><br></div>