Andy Taylor of APMG International tells us why people are the greatest risk to an organisation’s cybersecurity.

Introduction

For many years, people have been referred to as the greatest asset of an organisation.  The expense of both recruiting and training them was always seen as a reason to try to retain them, particularly the good ones, at all cost. One of the main reasons for this was the experience and knowledge that was lost when a valued staff member left the organisation.  There was also the risk that they would leave and join a competitor, taking with them favoured clients, technical knowledge and perhaps even IPR.  This was managed through good human resource departments, incentives and trying to build loyalty among the staff.

Today staff are being portrayed in a different light.  They are being referred to as a risk, (indeed in some places the greatest risk), to an organisation.  This change has been caused in no small part by cyber-crime and issues around the internet in general.  Cyber-crime is now bigger in financial terms than the illicit drugs trade and so is a major risk to any organisation, be they a household name operating worldwide or just your local corner shop.  This article looks at this change and suggests some of the ways it might be addressed.

Historically

Long before the first industrial revolution in the late 1700s, workers, for example, goldsmiths or other similar livery guild members, were seen to be of great value and in particular, a source of knowledge and experience.  This was down to the years spent gathering knowledge and applying it in a variety of circumstances thereby learning from mistakes.  As the knowledge developed it was passed on to the apprentice and shared with other professionals in the relevant walk of life.

As the first industrial revolution took hold, bringing the people in from the fields, into factories – with machinery and processes to learn, this sharing and passing on of knowledge became even more significant and so apprenticeships and similar practices were enhanced.  It, therefore, became even more important to retain the experienced staff.  It was probably during this period that people became valued as the greatest asset and since then the importance has increased, until recently.

The second industrial revolution of the late 1800s continued to raise the importance of people as industrial processes, combined with the availability of electricity, increased the learnt knowledge that employees held.  When the third revolution started in the early 1970s with the advent of automated production, electronics and computers, things began to change.  Knowledge wasn’t only invested in people but in automated systems and in the electronic storage facilities that were being developed.

The internet

Although the beginnings of the internet were in the 1960s, it wasn’t until the late 1980s that the internet really broke into our consciousness. That, combined with the development of artificial intelligence, big data and robotics, was the beginning of what is now referred to as the fourth industrial revolution.  One of the key influences that the internet has bought about is that knowledge is no longer vested in a relatively few specialists, but widely available to anyone with the ability to access it.  It has now become much more important to ensure employees have access, not only to the relevant knowledge and data but also to the appropriate processes for managing the data into information and usefulness.  Employees are no longer as valuable as they used to be, since their organisational knowledge is more widely available, more easily recorded and can be passed on to a new employee as required.

Cyber-crime

As with any new invention, process or activity the criminal fraternity follow closely on the heels of those developing it.  The internet (and all that it enables) is no different.  Cyber-crime has become a way of life for those committing it, and it needs to be considered seriously by anyone choosing to connect to the internet through any device.

More importantly, employees now hold the keys to the wealth of information in which the criminals are interested, due to its financial value (if nothing else).   The ease and speed with which vast quantities of information can be moved about is a striking change from the days of old.  Employees are now on the front line of defending an organisation against any criminal attempts to misappropriate data in one way or another.  They are unfortunately also the principal conduit for getting access to that information – the greatest risk.  In the past twelve months, nearly half of all reported cyber attacks have involved hacking and malware, mostly directly targeted at the personnel of the victim organisation.

The ways in which staff have been implicated fall into three general groups.

1. Phishing Emails:  By inadvertently providing details of the access to sensitive or valuable organisational information.  This could be giving out (sharing) login details or by using insecure login details (perhaps using poor passwords).  More often than not, this is achieved by sending a phishing email that is attractive enough for the employee recipient to click on a link to “find out more”.  This clicking will then do one of several things.  It could download malicious software, take the user to a bogus website where more information is requested, or cause the recipient to take another action on the basis of the information it contains.
2. Virtual Imposter/Pretending to be another person or department:  If an email looks as though it has come from (for example) the finance director and requests money to be paid into a specific account, then it is likely a junior member of staff in the accounts department would comply but not realise the request was bogus.  This has happened a number of times with some significant amounts of money being transferred into the criminal’s account.  It could just as easily be a telephone call that triggers this action – but one from someone who has gained sufficient knowledge of the organisation to be believable.  A telephone call from a bogus IT department is a method of fooling the staff member into giving out their personal login details.  Someone phoning to ask for the account details of a genuine customer to be altered is another example.  Receipt of an invoice, again apparently from a genuine customer, but doctored to pay into a criminal’s account instead, has also been a very successful ploy.  The method of initial contact could, of course, be any other device – smartphone text message or social media contact.
3. Physical Intrusion: The third method is far older and is the physical intrusion into an office environment.  The attacker though will have done extensive reconnaissance beforehand so that they appear to be as genuine as possible.  They may have requested an interview or made an appointment for some reason which sounds perfectly genuine.  Their attack is often initiated by arriving early for the appointment and gaining access into the building without the appropriate level of supervision.  Once inside they will then harvest any useful information they can find, including seeing what the staff passes look like (in order to be able to replicate one for later use).  Details of logins, passwords, job titles, extension numbers and organisational hierarchy can all be useful intelligence for the criminal. They may even leave a strategically placed, infected USB stick, in the hope it will be used in a machine where the infection will be downloaded instantaneously.

The solutions

Addressing the risks arising through the staff is essential and is a complex business.  The long-term aim has to be to reduce the risk to an acceptable level, and technology can, in part, help with this.  Designing systems such that human error is very likely to be successfully detected before it does any damage, perhaps by input-checking, should be the norm for all IT systems.  Restricting the access to large databases, notably of sensitive or commercially valuable information, to those who really do need access to it, should be standard.  Other measures might include:

• access controls that prevent large amounts of data being downloaded from corporate systems, other than by approved and individually identified staff members, being utilised whenever possible;
• ensuring that those with elevated privileges on a system only use that account for the task for which it is required and not for routine web browsing and email;
• insisting that business processes dealing with the payment of money have a minimum of two people involved.

Checking these controls are adequate, and gaining a certificate to prove it, can be done through APMG and Cyber Essentials details of which can be found here: https://apmg-international.com/cyber-essentials.  The UK government is now expecting any organisation with whom it does business to hold the Cyber Essentials certification.

This issue is exacerbated by the huge increase in what is often called the grey or shadow infrastructure, those items of technology owned by the staff but used to undertake legitimate activities on the corporate network.  Smartphones, in particular, are now as powerful as desktop computers were, not so long ago, and so can be used to undertake both legitimate and illicit activities.  The management of these devices for the security of the company is critical but difficult to achieve.

In recent years there has been a trend to provide, for example, an awareness briefing to new staff on arrival and then, in the more effective organisations, a refresher course every year or so.  However, a recent report from CLTRe in the USA shows, that the level of awareness of cyber security issues in the staff has a very weak correlation with the amount of cybersecurity awareness training provided. What has been shown to be far more important is the development of a security culture in the organisation.  This research, based on over 30 different organisations in various business sectors in Norway and Sweden, shows that it is far more important to take a holistic, risk-based approach to developing the culture in an organisation.

The security culture is the effective combination of a number of different aspects including the attitude of staff towards security together with the communications, responsibilities and knowledge related to security.   Whilst training can provide some of the required knowledge, that alone is not likely to develop the other areas essential for the establishment of a security culture within an organisation. The culture should establish that cyber-security is a critical part of every staff members’ job description and responsibilities.  It is about ensuring the right practices are not just learned but understood and, most importantly, implemented effectively by all members of staff from the top of the office to the most junior.

The analogy which perhaps best shows the difference between security culture and awareness is that of meteorology.  Climatology tells us what the weather could be like tomorrow, based on the evidence of the last couple of hundred years or so.  This is what security culture needs to be.  It describes what the norms are, what behaviours we expect of staff and the common (hopefully best) practices we expect them to use.  The weather report tells what the weather actually is and it may bear absolutely no resemblance to what climatology tells us should be the case.  This is the reality of security where daily incidents arise and have to be dealt with but, nevertheless, the general trend of the “climatology culture” should be the expected norm.

Training can clearly help to develop the culture but it needs to be the right sort of training.  Another interesting finding from the CLTRe research was that the older members of staff tended to be better at cybersecurity despite having been subjected to the same security training and communications.  This shows, in part, that the older age groups are more likely to accept and benefit from the more traditional ways of educating staff.  Training events and briefings, in addition to reminders, posters and the like have a greater impact on the older demographic than on the younger ones.  Younger staff members need to be treated differently -perhaps utilising a much more immersive style of learning.  They are much better at learning from doing than being told and so events that allow them to experience cyber attacks, to see the consequences of their actions, or other similar security-related activities, are much more likely to improve the security culture in this sector of the organisation.

Cybersecurity training is an essential part of any organisation’s defences and training that has been certified by GCHQ will provide the best level of knowledge.  This scheme, run by APMG checks that the training and trainer is up to the standards set by GCHQ and details of training organisations and courses that have been approved can be found here: https://apmg-international.com/product/gct

The recent move towards the use of so-called “escape room” style events, as an example, has shown them to be very effective.  In these events, participants are required to solve problems in order to “escape” from the room.  The problem-solving clues provided can remind them of the key security messages the organisation wants to impart to its staff.  Well-designed events can help staff to see not only the consequences of their bad practice but also the way the organisation would like them to behave.  These do not have to be limited to the young, however; mature staff can enjoy them too!

There is no one silver bullet to address all the issues cybersecurity raises.  It is essential to take a risk-based approach and to ensure that the view taken to any solution is a holistic one.  Doing it piecemeal simply will not work.  Cybersecurity cannot be, and must not be seen as, an inconvenience, an add-on or as something to be dealt with by the “security” department.  It is everyone’s responsibility and must be seen as business as usual for all members of staff.  APMG can help to assess the maturity of the security controls and capabilities that are in place in an organisation.  The higher the level of maturity for the security capabilities, the more likely they are to be able to defend the organisation effectively.  An assessment tool, developed by Dstl for the MoD, was explicitly designed to do just this and is now commercially available through APMG at https://apmg-international.com/product/cdcatr-cyber-defence-capability-assessment-tool

Understanding where the most important information is held, its business value, how it is processed and stored, who has access to it and the means by which illicit access might be gained, is the approach that must be taken.  From there, ensuring the various controls, physical, procedural and technical, are implemented, in a layered approach, together with understanding how well they are operating, will form the basis of an appropriately secure organisation.  The use of strong service management practices will assist this very well and should be the basis of all cybersecurity capabilities.

When the technical knowledge of the staff are insufficient to take a comprehensive look at the security of an organisation, bringing in a specialist might be the answer.  As in most professions, not everyone who advertises their skills is a good specialist.  The National Cyber Security Centre’s Certified Cyber Professional scheme (CCP) is designed to ensure you know who has been checked against GCHQ standards for appropriate levels of competence and knowledge.  Those certified by APMG can be found here: https://apmg-international.com/product/ccp

Conclusion

Cybersecurity is now one of the greatest business risks to be addressed, and one that has the potential to do the most damage to an organisation.  Dealing with it in the same traditional, risk-based way as other business risks have been addressed is the only effective solution.  Health and safety at work is now the norm and is rarely considered anything other than standard.  Cybersecurity has to reach the same level of acceptance, involvement and implementation by in-depth insights into the human factor. The 2017 Security Culture Report published by CLTRe.