Creating and Defining a Culture of Security: The Human Factor

Creating and Defining a Culture of Security
Author: Pedro Alexandre de Freitas Pereira, CCNA
Date Published: 6 November 2017

The security of technology has become an increasing global concern. For some professionals such as network managers or security managers, this subject is intrinsically linked to their daily work. Additionally, governments around the globe are concerning themselves with creating entities and legislation to ensure security. The aim is to promote national and international strategies to combat cyberterrorism.

In 2012, Portugal made a cautious first step toward cyber security, just as many other European nations were doing at the time. Three years later, as this issue became increasingly important, Portugal’s Resolution Council of Ministers no. 36/2015 published the National Cyberspace Security Strategy.1 This legislation was “based on the commitment to deepen network and information security as a way of guaranteeing the protection and defense of critical infrastructures and of vital information services and to promote the free, secure and efficient use of cyberspace by all citizens, businesses and public and private entities.”2

As such, it is clear that some governments are committed to developing a culture of computer security.

Computer Security in Organizations

In organizations, the reality is a bit more asymmetric. Security is treated as something hermetic—something that is the responsibility of the IT department or system managers—and not as a corporate whole.

While this attitude prevails, if an actual malicious attack or other security flaw occurs, everyone at the enterprise becomes involved. Since technology is perceived as infallible, the human factor is presumed to be the cause.

The human factor is why one cannot drive a top-of-the-line car with most modern, passive and active safety features on a rough road, in the rain, at 180 km/hr. The probability of having an accident is very high, because the technology is not the only factor. Undoubtedly, the human factor (along with the weather in the previous example) enters this equation as a factor of uncertainty and destabilization.

Naturally, car manufacturers or information security technology manufacturers invest in second-line systems and mechanisms to restrict or avoid any action that endangers lives or the normal functioning of an enterprise.

If one refers to the International Data Corporation’s (IDC) 2016 report,3 security-related expenditure forecasts were estimated at US $73.7 billion, with an estimated increase to US $101.6 billion by 2020. Companies are increasingly investing in security to minimize threat risk, and these investments are increasing, both in the Internet and intranet spheres.

Users, as well as equipment and technology, need to be discussed in this context. People everywhere can spend money on recycling bins with ergonomic lids made of sustainable materials, but if they do not know the impact of their actions and actually use the bins for recycling waste, the tools and technology have limited influence on the state of the world. This scenario is also applicable for users’ lack of knowledge about computer safety.

The Human Impact on Security

The human factor plays a major role in security risk. Even cyber security technicians themselves may be responsible for contaminating a computer infrastructure.

Two years ago, in security training taught to network technicians, the frustration of complex enterprise passwords was discussed. Some practitioners admitted that they sometimes reduced the number/diversity of characters in passwords because the passwords were not practical, quick or intuitive. This implied a serious security flaw where the security policies were too loose and allowed the human factor to become the major deciding factor.

Ordinary users increase this risk exponentially, since they are less aware and many companies do not possess a culture of security.

Management and management entities must institute a security culture, and it must be a concern disseminated to the most remote points of the organizational flow chart. Five major categories of security mistakes made by employees in organizations can be distinguished:

  1. Weak password security—Passwords are the most basic security technique that can provide adequate protection. They must be handled with care and kept private. However, if passwords are not handled with proper care and procedures, they can be easily cracked, guessed or otherwise obtained by malicious perpetrators, allowing them full access to the system. Administrators do have some tools to minimize the risk, including adopting agressive password policies (e.g., enforce password history, maximum password age, minimum password length, password must meet complexity requirements). These issues undermine password security:
    • Using a simple password—A typical example of the human factor in security risk is creating a simple password that is easy to remember. Sometimes, employees may even use default credentials. Such passwords are easy to guess or crack by a brute-force attack.
    • Sharing passwords—Sharing passwords among employees is a careless mistake that can easily give a malicious attacker inside access to data they should not be able to access.
  2. Careless data handling—Employees who routinely handle large amounts of information or manipulate sensitive data can sometimes leave that same data freely accessible. This oversight may be the result of a simple error, or it may be caused simply because the employee does not realize the importance of such data. The following issues undermine data handling security:
    • Emailing of data—It only takes entering the wrong recipient address to send sensitive data to the wrong person. Email is very common between departments and management.
    • Accidental file termination—Employees can delete files to clear space without realizing the importance of the files.
  3. Inappropriate software security—Most employees are more concerned with getting their work done quickly and efficiently, often neglecting proper safety procedures. They prioritize convenience over the security of the software they use and the data they deal with on a day-to-day basis. This is a problem because it can compromise the entire enterprise’s security. The following issues undermine software security:
    • Neglecting updates—Employees often neglect updates because they take too long or appear at inopportune times (this can, of course, be countered through strong, mandatory network policies), and this can leave machines vulnerable to attack. The use of old and desaturated software (with identified vulnerabilities and other issues) is also a very common problem. This software is often used not because it has special and necessary characteristics, but rather through the force of habit.
    • Deactivating necessary security features—Some employees have the ability to deactivate security features. They often do this because they consider these features intrusive without realizing their importance. Such actions can easily compromise the security of the entire system.
  4. Low security knowledge—Users generally have a low level of knowledge about phishing and social engineering practices and may inadvertently be helping malicious agents gain access to company data. The easiest way to steal credentials and access or introduce malware into a system is to employ the help of a person from within the company. As a result, security systems are increasingly tracking and monitoring within the intranet in order to combat threats from within the company itself. These issues can occur due to users low security knowledge:
    • Clicking on malicious email links—Emails containing malicious links are very dangerous and difficult to filter. With the recent resurgence of ransomware that asserts itself through malicious email links, serious damage to businesses can occur.
    • Downloading vulnerable software—Even though software is not malicious in and of itself, it may contain vulnerabilities that can serve as gateways in the system for malicious actions. This type of software is typically identified and recorded in company procedures, but users still choose to download it.
    • Turning on unknown or unsafe devices—Attackers can place universal serial bus (USB) devices on most system devices, and malicious code stored on the USB will run automatically. This works in the context that the employee finds a USB and connects it to the system device in their possession out of pure curiosity. Sometimes the origin of the device is known, but it can harbor a virus contracted by an interaction with the external network and, therefore, should be used with great care. Institutions can establish rules so that all external devices can only be used if they are exclusively authorized by the company and are not personal hardware.
  5. Inappropriate access rights—Control of access to sensitive data is a basic part of any system. However, many companies grant access to all employees by default. This approach can have the following negative impacts:
    • Employees who have many privileges may end up with access to data or system settings that they should not have and that are usually reserved for administrators. This abuse of rights may lead to the disappearance of sensitive information.
    • Making changes to the system should be for administrators only. If users can make unauthorized system changes to speed up their work or make it easier, this can cause security issues. The users probably do not know that such changes can have implications for the security or performance of their entire organization’s systems.

Best Practices to Prevent Human and Security Errors

Some cyber security problems occur occasionally, while others, such as the use of weak passwords, may be more regular. While they do not cause immediate damage to a company, such safety issues and negligence are ticking time bombs. They will cause security breaches and data loss that will cost an enterprise a large amount of money to recover and repair.

Clearly, the global society and economy depend on technology. This reliance could be fatal if not dealt with properly. In the face of ever-increasing critical services offered through the Internet, many dangers and vulnerablities must be defended against to protect all information.

There is no magic formula to remedy the human factor. As long as the person is part of the system, many solutions can be implemented to mitigate the potential for humans creating risk. Manufacturers must consider alternatives to strengthen their products’ defense processes. Just as the human immune system reacts in case of an attack, cybersystems must monitor internal traffic to capture malware even after it has infected the system.

Typical employee cyber security mistakes are associated with poor password handling, careless handling of data, use of insecure software and general unawareness about potential threats and the best ways to prevent them.

In practical terms, using a complex, holistic approach to insider threats and cyber security should reduce the percentage of human error and help avoid security breaches. Some effective security practices are described:

  • Create an effective security policy—Security rules and best practices should be formalized in a written security policy. This policy should clearly describe rules such as those governing the handling of access and data passwords, the security and monitoring software used, and more. All employees must be introduced to the policy and it must be effectively enforced (including signing a liability agreement).
  • Provide training to employees—A high level of security awareness will help prevent user error. Users should be informed about the dangers that errors pose to the enterprise’s security. They should be educated about how best to handle work safely and ensure other users adopt the same practices. This will benefit the entire organization as users become aware of the potential security risk their actions may trigger, and it may encourage them to be more cautious as a result.
  • Apply the principle of least privilege—As far as data access is concerned, deny all access by default and only assign access on a case-by-case basis. This way, users will only have the required level of access, allowing them to only manipulate the data pertinent to their work. This will prevent leakage or loss of confidential information, making the organization’s infrastructure more secure and reliable.
  • Monitor users—Security issues are sometimes difficult to distinguish from regular user activity. This allows security issues to go undetected for long periods of time. The most reliable way to detect and prevent employee safety errors is to use employee monitoring software.

Can a Sociological Approach Help?

In addition, the sociological component has been increasingly analyzed by security companies. Two questions have been explored:

  • What is it that compels a user to click on a certain link even though the link may seem suspicious?
  • Why do users succumb so easily to particular appeals made in a particular message?

Figure 1 presents the data from an interesting study about user action in response to a dubious email.4

Figure 1

This study objectively shows that human curiousity is undoubtedly a dangerous risk to cybersystems. While 100 percent security will never be attained, users can be made more aware of the types of attacks and their implications.

Manufacturers increasingly rely on more aggressive intrusion prevention systems (IPSs) with integrated intervention capabilities in unified threat management systems (UTMs) to ensure, for example, more proactive firewalls to deal with threats in order to minimize possible human error.

Network management software has already entered the security market, analyzing vulnerabilities (services, ports, updates and applications) and directly competing with the solutions exclusive to that area. Corporate antivirus software is already a simple application in place at most organizations. It is used to deter threats, filter applications and filter URL access. Because of this, more and more layers of security in organizational infrastructures with active and comprehensive characteristics pair with automation.

Redundancies are also increasing, by way of backup solutions, all of which are integrated into (encrypted) disk drives for rapid restoration in the event of a ransomware attack. The exponential growth of cloud services as organizations’ second storage option also adds to redundancy. Given these scenarios, are all of these security options enough? Whenever the human factor exists and influences decision making, security must be preserved by stressing the safer solution over the faster one.

Endnotes

1 Portugal’s Presidência do Conselho de Ministros Gabinete Nacional de Segurança, Cibersegurança, 2015
2 Ibid.
3 International Data Corporation, “Worldwide Revenue for Security Technology Forecast to Surpass $100 Billion in 2020, According to the New IDC Worldwide Semiannual Security Spending Guide,” USA, 12 October 2016, www.idc.com/getdoc.jsp?containerId=prUS41851116
4 Friedrich-Alexander-Universität Erlangen-Nürnberg, “One in Two Users Click on Links From Unknown Senders,” 25 August 2016, http://www.fau.eu/2016/08/25/news/research/one-in-two-users-click-on-links-from-unknown-senders/

Pedro Alexandre de Freitas Pereira, CCNA
Is best security practices adviser and chief technology officer at CFPSA.