The threat of human error You cannot afford to risk human error compromising your cyber security

The threat of human errorYou cannot afford to risk human error compromising your cyber securityThe threat of human error you cannot afford to risk human error compromising your cyber security.Contents

Thank you for reading The threat of human error you cannot afford to risk human error compromising your cyber security

You cannot afford to risk human error compromising your cyber security

In spite of the ongoing evolution of cyber security processes and technology, human error is still responsible for 95% of data breaches¹. Phishing attacks alone represent a particularly insidious risk, with 91% of organisations experiencing a successful attack in 2021 alone².

We've talked several times on this blog about the need for ongoing cyber security education within organisations at all levels, across all sectors. While this should be an ongoing part of any robust cyber security policy, in light of recent events, where highly-effective new breeds of malware have been unleashed against both private and government organisations abroad, and the National Cyber Security Centre (NCSC) has identified a number of bad actors responsible for both the recent attacks, and a number of past attacks on organisations around the world, it is imperative that you conduct a thorough review of your training processes.

All staff must be made aware of the latest threats and - equally importantly - understand their part in preventing serious breaches. While an effective email filtering service will certainly help here, you cannot afford to assume that fraudulent emails will never get through and that no member of staff will respond to it in a moment of poor judgement. Consider the following, and ensure all staff have been trained and tested on them:

Employees must be able to spot the
tell-tale signs of a phishing attack

In spite of the growing sophistication of cyber criminals' strategies, there are still a few typical warning signs to look out for when establishing whether a communication can be trusted or not. These include (but are not limited to):

Poor punctuation, grammar, and presentation (e.g. misaligned or poor quality images and logos)
Using a generic form of address rather than the recipient's actual name (e.g. 'Dear customer')
Thinly veiled threats or ultimatums, urging the recipient to part with their details (e.g. 'Please respond within 24 hours to secure your account')
Messages claiming to be from high-ranking individuals, from email addresses that do not match
Misspelt or incorrectly formatted company names in the 'from' address
Requests to forward sensitive information directly by email, rather than through the approved, secure processes

Ensure there is a reporting process in place, and that all staff are familiar with it
Staff must have multiple channels through which they can report any suspicious communications or potential security risks, with processes in place to ensure these are forwarded to the right person and resolved at the earliest opportunity. Once an incident has been resolved, the outcome should be immediately communicated to all members of staff, so they can spot similar attacks in the future. Crucially, all staff must be made aware that they will not be punished for reporting any concerns, even if this involves alerting cyber security teams after they have inadvertently responded to a phishing email. This will only serve to make staff reluctant to report any incidents and compound the risk of a successful breach.

Encourage staff to manage their digital footprints, both in and out of work
We share more information online than at any other time in history, which makes it imperative that staff understand the wider impact of what they share online, particularly on social media, particularly details of where they work.

Access must be controlled on a
per-user basis

At the very minimum MFA should be in placed for staff at all levels, with all users given the minimum number of access privileges they need to undertake their duties. This will help minimise the reach of any successful attacks.

If you are looking to optimise your existing cyber security training or develop a new programme to accommodate the very latest best practice and current threat intelligence, do not hesitate to contact Exponential-e's Cyber Security team.