This is one of the best known and most shared vulnerabilities: the human factor risks nullifying even the best technology adopted for the security of computer networks. The good news is that minimizing risk is possible.
We know that 0 risk does not exist, it is pure illusion, but this does not mean that it is not possible to obtain a level of security that contemplates the lowest possible risk and, above all, makes it acceptable. Given that even the best technology can do nothing when the fragility of the human factor comes into play, then it is necessary to intervene precisely on this front.
How to deal with insider threats.
Talking about the human factor in this context is equivalent to thinking about internal threats. These in fact concern the risks deriving from actions within the corporate network infrastructure, from users authorized at multiple levels to access the different resources. Employees are also targeted by the hackers themselves in an attempt to identify the weak link that allows access to the system. In the most sophisticated and elaborate cases, cybercriminals carry out a real spying activity in order to approach staff and steal access data. Awareness of the centrality of the human factor has grown in recent years, leading to the implementation of specific awareness and training policies. The contribution in this sense came from many sides, and saw the most diverse disciplines enter the scene: statistics, psychology, engineering, artificial intelligence. Despite this, the success of social engineering techniques remains very high.
Broaden the vision.
It is thus evident, but not obvious, that efforts in the cyber security sector should not only be addressed in the sense of technology but must also, and above all, embrace the human factor. Since this is a criticality that cannot be eliminated, it must at least be managed in the best possible way. Starting from a realistic photograph of the entire organization, it is possible to identify the major criticalities and the origin of any internal threats: it can be a violation of a regulation rather than a phishing attack or access to unsafe networks. Identifying possible threats also allows you to take more targeted actions and control possibilities for rapid interventions.
How to mitigate the risk.
Some of the most famous and important hacker attacks in terms of stolen data originated from human weaknesses. This is the case of the 2014 attack on Sony that led to the disclosure of 100 Terabytes of data, starting from a phishing e-mail. As well as the most recent WannaCry case of 2017, which also started with some phishing emails.
It is possible to intervene in this sense starting from the motivation and awareness of the staff. Implement internal policy and training strategies aimed at making people aware of the risks that certain behaviors can cause, in terms of damage to the company for which one works and which can put the occupation itself at risk. Many times there is a certain difficulty in perceiving the real damage potential for non-professionals, and it could be useful to focus on this perception.
If today between 80% and 90% of attacks originate through human errors due to inattention or disinformation, the human factor, then employees can become the first line of defense against cyber threats for organizations.
The security awareness program.
Creating a Security Awareness program is therefore confirmed as a fundamental step. First of all, it is a question of defining acceptable objectives that take into account the level of knowledge to be acquired and the time spent in training to ensure that the attainable skills are in line with the role in the company. This avoids wasting resources trying to train beyond what is necessary or insufficient. Periodic monitoring allows you to test the level acquired and the progress of the practices adopted while a playful approach could increase involvement with challenges and exercises that allow comparison and sharing with others, generating group dynamics that are also useful in everyday life.