« Order requires planning, execution | Main | The world is on fire. What’s a board to do? »

Your greatest cyber weakness? People

- Dave Nelson, CISSP, is president and CEO of Integrity.

In past blogs, I’ve talked about the impact end users have on an organization’s information security posture. Users are often the first and last, and sometimes only, line of defense an organization has against hackers. This has never been more true.

Percentage-of-breaches-per-assetAccording to the 2016 Data Breach Investigation Report (DBIR), the top three assets attacked in confirmed data breaches are servers, user devices and people, in that order. The chart to the right from the 2016 DBIR shows the current trends. Of those three, server breaches are on the decline and have been for several years. Attacks through both user devices and people are steadily increasing. 

The uptick in user devices being used in data breaches is commonly attributed to mobile devices such as smartphones. This, however, is false. Mobile phones account for about .01 percent of data breaches. This means that desktops, laptops and point-of-sale devices are the true culprits. 

What is really happening is that IT and security teams are getting better at protecting critical assets like servers.  They are being patched more frequently, they are being isolated from other devices and they are being monitored more closely. Therefore, even if a security incident occurs, it can be detected and addressed before an actual data breach occurs in some cases. 

User devices in most cases are not deemed “critical” and therefore do not have the same controls. They are also susceptible to errors made by their primary user. People. This means that hackers are moving to assets they know they can attack. People and the computers they use daily.

Organizations should begin to consider adding all end-user workstations, desktops and laptops to their security information and event management (SIEM) monitoring systems. This added visibility will help detect the source of internal threats faster and aid in remediation efforts. This saves time and money during incident response activities and breach investigations.

This brings us to people as targets. I’ve written on multiple occasions about social engineering attacks, or those attacks that target humans to gain access to a system or data. In this year’s report, it is the No. 3 attack vector, behind malware and hacking.

As I’ve said before, providing security awareness training for your employees is one of the most beneficial security controls an organization can invest in. Simple 30-minute online learning courses don’t cut it, though. If you really want to see benefits, have your employees attend security sessions in small groups where they have to participate and be engaged. Once employees become not just educated in security awareness but actually invested in preventing attacks, an organization can have some assurance that many of the attacks coming their way will be identified and thwarted by the targets themselves, their own users.

If the 2016 DBIR does nothing else, it shows us that cybercriminals are no different from other types of criminals. They will adapt with changes in their environment and will target the areas they find weakest. The only way to combat them is to fight back with better training and tighter monitoring.

Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: https://integritysrc.com

Comments

Kevin Mitnick one of the most famous hackers of all time used social engineering to gain access to many systems. This is big problem that won't go away anytime soon. Thanks for pointing this out Dave!

The comments to this entry are closed.

« Order requires planning, execution | Main | The world is on fire. What’s a board to do? »

Technorati Bookmark: Your greatest cyber weakness? People

This site is intended for informational and conversational purposes, not to provide specific legal, investment, or tax advice.  Articles and opinions posted here are those of the author(s). Links to and from other sites are for informational purposes and are not an endorsement by this site’s sponsor.