According the presentation of Johnson the main factors that are highlighting the problem of considering the human being as the weakest link in the safety chain are:1. Market becoming ever more ‘user-centric’2. At the same time, it is all becoming a lot more ‘virtual’3. Users becoming ever more device dependent
Last month I attended the Cyber Threat Summit in Dublin and I had the opportunity to assist to the interesting presentation “Humans The weakest link in cyber security” of Mark Johnson, Chairman, The Risk Management Group.
The topic of presentation is one of the most interesting in cyber security, the massive introduction of technologies in every environment must take in care of the human factor under the security perspective. In many cases wrong behaviors of users, the failure to comply with security policies and leak of awareness on the cyber threats that could target a systems representing main factors that could expose overall integrity of an IT solution.
The principal families of security standards such as ISO 27001 reserve great attention to the argument explicitly requiring the involvement of employees in the process of securing the information. It makes no sense to have sophisticated security systems if the security of the infrastructure can potentially be affected by the work of human beings.
Unfortunately in different occasions in enterprise and government environment the security is perceived as a further cost and a burden that complicate ordinary work. Let’s consider how much wide is the attack surface for each user today, mobile, wireless access, cloud computing, social media all conspiring to make life more complicated. The human factor is the underlying reason why many cyber attacks are successful, underestimate the severity of potential cyber threats is one of the most common errors.
Distraction, ignorance, curiosity are just some of the factors that can lead to a high risk behavior in terms of security, for this reason is crucial get to define rules to be followed in situations that expose the user at risk.
The engage to securely manage all these platforms and technological solutions could induce users to improper behavior exposing his personal information with evident risks, and in some cases the entire IT infrastructure.
According the presentation of Johnson the main factors that are highlighting the problem of considering the human being as the weakest link in the safety chain are:
- Market becoming ever more ‘user-centric’
- At the same time, it is all becoming a lot more ‘virtual’
- Users becoming ever more device dependent
It is possible to formulate the following laws for ICT Rick
- The number of device owners is inversely proportional to the cost of ownership.
- The overall level of ICT risk is a function of the number of devices in use and the number of discrete vulnerabilities.
- The mean level of awareness and security competence of the user base declines as the user population increases.
Actual ICT scenario is assisting to a sensible increasing of technology demand despite a reduction of the level of user’s awarenes on cyber threats, situation that creates the fertile ground for cyber criminals who want to exploit victim’s digital identity.
Users are facing with a complete cyber dependency on principal technologies, their operate could have impact on the entire cyber surface, let’s think for example to the use of simple password shared among different platforms, the exploit of those credentials could compromise user’s digital identity, but it could also represents a serious menace for other environments strictly related. If our user adopts same credentials to access to his corporate email he could give to the attackers precious information to use for further attacks such as APT campaign.
Another factor related to the human being in the security chain is it response time to the incident, cyber incidents occur at computer speed but the incident management takes place at human speed, another consideration that must be done in a security audit. The action taken by users to respond to an incident or to a cyber attacks suffers of human latency further exposing the victim to additional risks derived to failure to apply instant envisaged retrenchment.
Of course in this case the unique possibility that we have is to formalize the procedure to respond to incident trying to push their automation.
To strengthen the security of every process that involve humans it absolutely necessary to promote awareness campaign, no matter if we are in a enterprise or at home, it is fundamental to educate and train individuals on the principal cyber menaces, proposing best practices and also giving information related on how to respond in case of incident.
Read more at http://securityaffairs.co/wordpress/9076/social-networks/why-humans-could-be-the-weakest-link-in-cyber-security-chain.html