Human fallibility – weakest link in cyber security

Protecting the remote employee online, while securing your company's data.

Johannesburg, 02 Feb 2021

If the South African financial industry, and indeed the public at large, can learn one thing from the 2020 data breach at credit information agency Experian, it should be this: human fallibility is still the weakest link in the fight against cyber attacks.

By using standard social engineering techniques – simply asking the right question at the right time – the 2020 Experian fraudster, posing as a client, gained access to 24 million individual personal records, as well as confidential financial information for almost 800 000 companies.

Similarly, 2020’s Twitter data breach saw of hundreds of high-profile accounts breached, similarly achieved with one simple phone call to an unsuspecting technician.

Quite literally, data breaches are becoming a costly illustration of the old axiom ‘loose lips sink ships’ where manipulating human nature and exploiting human emotion can have dire consequences.

Whether it’s in the form of a low-tech phone call and traditional phishing e-mail or a more sophisticated malware and ransomware invasion via non-reputable applications and uncertified Web sites on unsecured networks, the holes are getting easier to open and the attacks more difficult to spot.

As we enter 2021 and the continued era of COVID-19 and the remote workforce, cyber criminals are using health fears and economic uncertainty as phishing bait to lure employees at home, where the links between their personal and professional lives are intersecting across multiple electronic devices using unsecure, non-regulation software over often insecure networks.

Companies, particularly within the financial industry where the digital exchange of sensitive financial and personal information has to be vigilantly managed and regulated, must also take a proactive approach to ensure all aspects of IT gatekeeping infrastructure – hardware as well as software – protects their employees at home.

Commissioned by multinational cyber security software company Trend Micro, the 2020 Head in the Clouds research report has evaluated how well the remote workforce is mindful of and prepared against potential cyber attacks.

The research sampled 13 214 remote workers across 27 countries, and found that while most employees understood the dangers of cyber intrusion and could identify and avoid the trademarks of a typical digital breach attempt, there is growing concern about bad security practices of employees at home, using less secure personal devices to access corporate data, and vice versa: corporate devices for personal use.

For details on the full Head in the Clouds report, see here.

Running a tight ship, while managing a dispersed fleet

To avoid the next Experian, South African banks, financial institutions and corporations will need to re-evaluate their cyber security infrastructure on three fronts, namely: people, policy and technology.

In managing and securing the remote workforce, companies can now no longer define themselves by location alone – outdated policies and obsolete technology cannot cover one building, one office, one department, with a single security blanket.

Constant education and awareness programmes may be effective to a point: It’s not only about teaching employees to spot the newest methods and signs of potential breach attempts, but also changing behaviour and creating a culture of accountability for devices – both personal and work-related – and their online habits.

A stronger relationship between the workforce and a company’s IT management is vital in determining a stricter yet adaptable usage policy. Employees should be always be aware of what exactly is acceptable practice online and what behaviour is considered irresponsible.

Ultimately, even the most sophisticated protection technology and the best online security processes can only be as effective as the culture of informed, accountable employees that the technology has been designed to protect.

For more information on our research, as well as how Trend Micro cloud-based and software security offerings can protect your organisation, visit Trend Micro’s Web site