by Scott Lewis
There is a major tug of war regarding security, technology and how to secure human behavior. Technology is designed to make our users and companies more productive, increase information sharing across platforms, and provide the resources people need to serve customer needs and increase profits.
Businesses require technology to connect more systems, have deeper integration and increase customer service, which has created a security nightmare for technologists and developers when it comes to risk management and mitigation. The speed at which we are changing the work environment in 2021 is also providing an opportunity for organizations to spread ransomware and other malware. The most significant risk we face right now is the feeling that technology alone will protect us. Still, the reality is it won’t because the weak link in security is the human, so how do we control and increase awareness to lower the human risk?
Many studies have been done about why threat actors target humans, and basically, it comes down to two factors: laziness and human flexibility. Both characteristics are rooted in social engineering; you can’t have social engineering unless both characteristics are present. Some people call it human nature or human behavior patterns; either way, it all comes to a head when you are trying to secure anything: a house, a car or your technology. However, if you can systematically remove these two characteristics, you can reduce or eliminate the ability to socially engineer, and your security risk goes down.
Before we get too far, let’s look at what laziness and flexibility in human behavior mean when it comes to technology. When talking about laziness and employees, what it comes down to (in most cases) is a lack of understanding of why things work or don’t work the way that’s expected. If a company fails to clearly define and explain technology policies to employees, the result is confusion. Employee technology orientations and security training should be a crucial part of learning about your business for all employees. Providing them with a written policy containing an exact checklist of appropriate and inappropriate uses of technology will help build that culture of security within your organization from the first day of employment.
When talking about social engineering, there are still some tricks that hackers will use and employees will fall for that put your networks at risk. According to the CSO United States, here are the five top social engineering tricks.
- Trick one, responding to an email that looks official. Always make sure that you know the person who is sending you emails. Scammers have become very good at making emails look official, so don’t be afraid to pick up the phone and verify that company, agency or person sending you the email. Scammers have started to add company or vendor logos and signature lines of spoofed emails, ensuring that the sender’s email address matches the signature line. You should also check to make sure the phone number and sender’s return address are correct, which you can get simply by mousing over the email address. Scammers will also use subjects that you are interested in or would likely get your attention, such as “Review this resume,” “Payment due,” or the all-time favorite, “You need to update your account information.” These are all subject lines that catch people’s attention, and based on time of day, workload or other job stresses, employees may not go through the standard checks they would typically go through.
- Trick two, you missed a voicemail; this is becoming a widespread trick, and hackers and scammers have seen an increase in success when using this trick due to the higher-than-average work from home. When people respond by returning the phone call, the scammer asks for access to their systems because they have determined that you have a security issue, malware or some other critical item. The user allows access through a remote connection, at which time a Trojan, virus, or malware is loaded and executed under the disguise of fixing your issue.
- Trick three, free stuff; we all love free stuff, and studies have shown that if you offer people something for free, they are far more likely to respond to an email or click on a link. Columbia University’s study showed that if you offer people a dollar to respond, responses go up by 30%. If you offer five dollars, responses go up by 65%, and it is because we have built a society where even small free tokens of appreciation get huge responses.
- Drive-by downloads, anti-virus is good, but it alone is not the complete security package. You must take a layered approach to security, and in some cases, it may seem redundant, but each layer can be designed to a countermeasure for a threat window. All software has weaknesses, and in some cases, hackers have written software into their viruses that can exploit those weaknesses and bypass your security measures. These exploitation methods can be embedded in websites, phishing emails and social media, and sometimes hackers can take advantage of legitimate websites that are not adequately secured and embed viruses in those websites. Easy countermeasures include implementing a website-monitoring program and disallowing sites like social media, outside email sites and traditional websites you should be filtering. Remove local administrator rights on the workstation. In most cases, these programs need to modify the local workstation’s active directory. They won’t load without administrative rights.
- Using open WIFI has become a massive issue due to the volume of workers working from home or remote offices. Employees now desire to work from anywhere at any time, so public WIFI and WIFI in coffee shops, motels and fast-food locations have become very popular. It is always a good idea not to connect to open WIFI. Keep in mind that open is open, there is no filtering, and people can see you if you can see the Internet. Use your own cellular service versus open WIFI - cellular service is far more secure and less likely to be hacked. Home WIFI is typically not secure or very well secured, allowing neighbors or others to connect from the outside. If you have workers operating from home, consider having your IT people check and ensure that their home WIFI is appropriately hardened and secure.
Can human behavior change or do we need to succumb to who we are - knowing we are going to make mistakes? We all can agree that mistakes will happen for various reasons; the goal is to understand why the mistake was made, improve our understanding of the mistake and use education and awareness to improve. Some factors can contribute to the modification or identification of how security and human behavior interact.
- Overreliance on security products - there must be countermeasures to protect the company and users, and these come in the form of security software or devices that manage security processes. These countermeasures may start with policies and procedures to outline security measures; other factors that play into human behavior are physical and mental workloads, changes in behavior and the soft-dollar costs of merely getting through daily tasks. However, research has shown that when people feel stressed or physically overworked, they tend to lean on the security product to protect themselves verse maintaining their awareness.
- To understand how security works, we have to keep in mind that individual workers do not understand how security works. When employees bump into security measures and perceive that security is interfering with their ability to manage their workflow or complete primary functions, they tend to look for and use shortcuts or workarounds. That is why creating a culture of security in your organization is so essential, and employees need to understand how security works and the importance of security. Continued education and explanations of security measures with an open dialog of why things work the way they do will reinforce the importance and awareness of certain behaviors’ risk to the organization.
There are many schools of thought when it comes to human behavior and technology. Some believe that companies should automate security to the point where it takes human choice entirely out of the picture. The one variable that can’t be secured is the human, and most security breaches in today’s computing world start with a human error. The people who subscribe to a full control methodology are trying to account for the human nature of wanting to be efficient in their work, with as little obstruction as possible. To that end, they are at times willing to shortcut security.
Cybercrime, which includes stolen data, identity theft, ransomware, and other financial crimes, will be over six trillion dollars a year by the end of 2021. These statistics could be interpreted to say that although we know how to secure systems, the cybercrime industry is so lucrative that it will be an ongoing battle to manage security, invest in security, and stay aware of new and emerging threats. However, we can’t forget about the human and how important building a security culture is, repetitive training, so complacency doesn’t set in.
Scott Lewis is the President and CEO of Winning Technologies Group of Companies, which includes Liberty One Software. Scott has more than 36 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small businesses to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium, and small companies, and Winning Technologies’ goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279. To learn more about Business Manager 365, visit www.businessmanager365.com.