December 2, 2019
Cybersecurity – People as the Weakest Link
In our experience, a number of our clients focus mainly on technical aspects of cybersecurity and in the process neglect the role of people in the security of their organizations.
It is typical for establishments to develop (perhaps with the help of consultants) very sound security policies, standards and guidelines. Then they proceed to develop robust processes for managing security such user administration and incident management.
Further, the organizations buy cybersecurity technologies such firewalls, intrusion detection/prevention (IDS/IDPS) systems, security information event management (SIEMs) systems, antimalware, etc.
We notice that, often, people do not feature in the equation. The fact is that human beings form the weakest link in the cybersecurity value chain. Examples include where an employee clicks on an ‘innocuous’ hyperlink that introduces malware in the network they are on, surfing insecure sites, and installing software that has malware, among others.
Technical personnel present their fair share of risks, such as failure to properly configure systems they deploy. Some estimates suggest that more than 30% of attacks happen due to poorly configured systems, some which are put into production with default settings. Technical personnel may also fail to do comprehensive testing following system reconfiguration.
The cultural environment in which an organization operates is important. For instance where fraud is routine, it is possible to expect this to show up in an organization’s systems. Stories are told of payroll manipulation to plant ghost workers; manipulation of student marks and fee payment records in (especially) university; and individuals perpetuating fraud via banking processes.
Such fraud is usually perpetuated by people with legitimate access to systems. The problem is worse where two or more such duly authorized people collude to cause harm to their organisation.
Organization leaders and managers should consider all risks that their systems may be prone to and develop countermeasures for mitigation. They have sufficient mechanisms in place to detect potential (internal or external) harm.
Standard system configuration should include capturing logs relating to security-sensitive actions. Such logs should be stored and backed up to remote servers that are managed by information security, risk management or audit teams. These would come in handy during investigations should there be a need.
The most powerful antidote to security risks, however, is education awareness.
Ordinary system users need to have sufficient awareness of cybersecurity related risks as a mitigation measure. Technical personnel should continually learn about developments to keep abreast of leading practices in designing, implementing and managing systems in a secure manner. Information security personnel (whether internal or external) should always be ahead of everyone in terms of cybersecurity knowledge and practices. They should continually train to understand prevailing trends for managing cybersecurity and related best practices.
There are many ways to ensure awareness some of which we will address in the future.
Matunda Nyanchama/Agano Consulting Team