Mitigating the human risk in cybersecurity

Issue 9 2020 Information Security

There is no end to the news announcements from around the world that yet another organisation has been subject to a data breach or some form of cyberattack which has resulted in the loss of sensitive data, intellectual property and/or money. This is all before one takes into account the also seemingly endless stream of ransomware attacks.

Most people seem to think cyber breaches of this type are the result of some highly technical hacking endeavours by criminals in basements with nothing else to do with their time. While these types of breaches do occur, for most organisations the biggest threat is the human factor. Someone clicks on an attachment or a link that compromises the security of their entire network, or someone shares login credentials for the sake of convenience, etc. And then there are those who have malicious intent and actively work to allow criminals into their employer’s network in the hopes of getting a payday from the criminal proceeds.

The number of products and services available today that are designed to protect against cyber breaches is almost innumerable. But, as the cliché states, the more advanced the protection technologies become, the more advanced the criminals’ attack methodologies become.

Of course, this ongoing battle is only one aspect of the war. The human factor has become the easiest and most profitable way for criminals to achieve their goals.


Anna Collard.

As Anna Collard, senior vice president of content strategy and evangelist at KnowBe4 Africa notes, “in May 2020, the personal records of more than 24 million South Africans and nearly 794 000 companies were handed over to someone impersonating a client. The personal records, identity numbers and addresses of millions of people and thousands of businesses were given to this person because they had fooled the system.”

This was not a hack, but a foolish and preventable mistake. Adds Collard: “It’s a hard lesson in how important it is to embed security not just into the technology and the devices of a company, but into its people. Security is not just the responsibility of IT; it is the responsibility of every single person in an organisation.

“It is critical that organisations create a culture of security in order to combat this increasingly hostile security environment. A successful security culture is driven by leadership, the human resources (HR) department, internal marketing and communication, and ongoing security training. Truly agile and capable security is a people project, not a technology one.”

Chris Ogden, CEO of RubiBlue, echoes this sentiment. “Everyone in the business needs to be accountable for security concerns. Constant engagement and communication with them is critical to ensuring this is executed effectively.”

The three pillars of cyber risk and security

Edison Mazibuko, technical director, DRS, adds that there is no doubt that the cybersecurity of many organisations would be in a much better state if there were no humans involved. “However, we do live in a real world where companies consist of people, processes, and technologies. The balance between these three components is what drives businesses to achieve greater efficiencies.


Edison Mazibuko.

“Technology and processes can always be improved and fine-tuned. The people component is complicated and more involved. We must not make the mistake of thinking security awareness refers only to users not clicking on suspicious email links or preventing tailgating into your building. The human component selects and purchases the technologies, defining the very processes and procedures to be followed in the company. Consider the fact that each human is unique with different mental models. These individuals decide how to respond to events and are faced with hundreds of decisions daily.”

As a solution, Mazibuko advises we take a page out of advertising; they know repetition is one way to embed their message into your subconscious, which leads to automatic brand recognition and product purchases. In similar fashion, security awareness needs to be continuous and not done once a year.

“Consider human nature when designing controls and processes,” he adds. “It comes as no surprise that humans are more likely to do the easy thing than the right thing. Strive for action instead of people memorising facts they will not use – this can make a difference between getting breached or not.”

Examples Mazibuko provides include: instead of telling people they must not use their dog’s name for a password, we must teach them how to form strong passphrases instead of easy-to-forget passwords that end up on sticky notes anyway. Where possible, he says multi-factor authentication should be implemented for stronger security.

Expanding on the above, Henk Olivier, MD of Ozone Information Technology Distribution, adds three factors that should be considered when it comes to people and cybersecurity.

1. One of the first factors is a lack of knowledge and education on the risks. Olivier says companies do try to educate users on potential risks that not all software tools eliminate, for example phishing emails and websites, weak passwords and more. These are basic educational factors that can make a big difference in a company’s cybersecurity posture and organisations must have a cybersecurity policy around the usage of company IT equipment.

2. The software used on a computer can be a big factor when it comes to the risk of a cyberattack, malware infections or ransomware attacks. Companies need to ensure that the software used receives constant security patches and updates.

3. Most employees have a work device that they take home and that gets used by their children or partners from time to time, and most of the computers get used to access other email accounts via a web browser. That can present significant risk.

These are by no means the only risk factors to consider, but are some of the common risks that are ignored and can lead to unpleasant consequences.

Remain people centric

Despite the view many have that cybersecurity is a ‘techie’ thing, effective protection must be part of every employee’s daily processes. Overall, developing a people-centric culture is critical to cybersecurity and even the technology industry as a whole, as advances seem to outstrip understanding.

This is why HR has to be involved with security, notes Collard. “It is fundamental to changing behaviour within the organisation and helping to build a culture that recognises the importance and value of security. It is, of course, also the disciplinary arm that enforces policy and that ensures there are consequences when people continue to break the rules or fall for phishing scams or perpetually do the wrong things.”

She adds that with data protection regulations such as South Africa’s Protection of Personal Information Act (POPIA) in full effect, the cost of an avoidable mistake can result in hefty fines or even imprisonment for the directors of the company. A mistake can be as simple as someone clicking on a phishing email, falling for a social engineering call or unleashing a ransomware virus because they didn’t recognise the risk.

“This is where good communication becomes as essential as good technology,” states Collard.

Creating good cyber-hygiene

Renee Tarun, deputy chief information security officer (CISO)/vice president of information security at Fortinet, describes the best form of defence – education, awareness and potential repercussions – as cyber-hygiene. She offers three steps to establishing good cyber-hygiene:


Renee Tarun.

1. Prioritise cyber-awareness training: In addition to teaching about common indicators of cyber scams (i.e., the promotion of ‘free’ deals), these training offerings should also feature simulated phishing exercises designed to test knowledge and determine which employees might need more assistance.

2. Create a partnership between the security team and other departments: When employees know what is expected and feel like they are a part of the team, they are more encouraged to follow best practices and help chip away at the behaviours that cause accidental insider issues, such as forgetting to change default passwords or neglecting to use strong passwords or other strong authentication mechanisms like multi-factor authentication and mobile application tokens.

3. Establish straightforward best practices: Even once employees are made aware of what to look for in the case of a social engineering attack, they may still need some guidance when it comes to next steps. While it is easy to ignore or delete a suspicious-looking email, what about those that appear normal that the receiver is still unsure about? In this scenario, CISOs should encourage employees to ask themselves certain questions to help make the right judgment call: Do I know the sender? Was I expecting this email? Is this email invoking a strong emotion like excitement or fear? Am I being told to act with urgency?

Everyone wished there was a silver bullet that could secure their systems from cyber risks, but in the age of the Internet this is not an option. Apart from technical solutions, employers need to develop processes to educate their staff, create ongoing awareness and assist them in identifying and dealing with anything they perceive as a risk – even if it means calling the IT department and being on the receiving end of eye-rolls and exasperated sighs.

“Success will depend entirely on the level of stakeholder buy-in, the depth of the training and a commitment to ensuring that the training is ongoing and measurable,” concludes Collard. “Security training has to be iterated and repeated constantly to ensure that people are always kept aware of its importance and any changes in attack vector or threat. Only by keeping security top of mind, all the time, can an organisation truly embed a culture that’s capable of staying secure and alert.”


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Alarms are smarter than ever
Spectrum Security Products Technews Publishing SMART Security Solutions Arxtech Perimeter Security, Alarms & Intruder Detection
Modern smart alarms are evolving beyond simple sirens and basic alerts. They now include features such as system health checks, remote management, real-time notifications, mobile apps, and multiple communication options.

Read more...
From the editor's desk: The high price of cheap
Technews Publishing News & Events
Bringing fire and safety, along with intrusion and perimeter protection, into the same publication is an interesting exercise. At their core, all these systems exist for one reason: to warn people ...

Read more...
Fire safety in South Africa
Technoswitch Fire Detection & Suppression Technews Publishing SMART Security Solutions Editor's Choice Fire & Safety Security Services & Risk Management
Fire safety is sometimes ignored, sometimes relegated to whatever is cheapest, and sometimes treated with the seriousness it deserves, given that it focuses on protecting life and assets.

Read more...
Preventing and suppressing lithium fires
SMART Security Solutions Technews Publishing Editor's Choice Fire & Safety Security Services & Risk Management Smart Home Automation
SMART Security Solutions asked Clyde Becker, director of Pyro Brand, for some insight into the mechanics of lithium-ion battery fire risks, especially thermal runaway, and to define a comprehensive, layered approach to fire detection and suppression.

Read more...
Integrated layers offer dependable security
OPTEX SMART Security Solutions Technews Publishing Perimeter Security, Alarms & Intruder Detection Integrated Solutions
A layered approach to security tightens protection and minimises downtime and operational risk. Moreover, integrating all the parts of a solution and proving they can do the job before spending money are critical.

Read more...
Cybersecurity needs actual intelligence before artificial intelligence
Information Security AI & Data Analytics
Cybersecurity depends on interpretation. A tool can tell you that something unusual has happened, but people need to determine whether it is a genuine risk, the business impact, and how to respond without causing unnecessary disruption.

Read more...
Duxbury Cybersecurity sharpens reseller offering
Duxbury Networking Information Security News & Events
Duxbury Networking has strengthened its Duxbury Cybersecurity business unit by adding WatchGuard and Cynet, giving South African resellers broader, more integrated coverage for the security risks customers are now asking them to address.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
NEC XON detects and stops ransomware attack
NEC XON Information Security IoT & Automation
Ransomware attacks rarely begin with chaos. More often, they start quietly, with probing, mapping, and patient reconnaissance inside a target’s network. That was the situation facing a global recruitment firm when cybercriminals attempted to navigate its systems.

Read more...
Sara AI Pentesting available in South Africa
Information Security News & Events
Synack and Wolfpack Information Risk are offering Sara AI Pentesting to organisations across South Africa, helping companies move from point-in-time testing to continuous security validation with AI and human expertise.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.