According to a new study by Osterman Research, the most common source of ransomware infections in US-based organizations is related to email use: 37 percent were from a malicious email attachment and 27 percent were from a malicious link in an email.
This illustrates a big problem for cybersecurity in the workplace: while many businesses have sophisticated cybersecurity systems in place, they can’t always guard against human error – such as the employee who clicks on a malicious malware-containing link that can disrupt an entire system or network.
As an information security specialist, I have been researching and attempting to understand how human behavior can provide insight into how people conduct themselves online. In my research, I have looked to the influence of human behavior on motor vehicle safety, which has been extensively studied, and there are many parallels between operating a motor vehicle and operating technology.
In both cases, there is an emphasis on user awareness and training to better protect individuals. In the case of driving, this involves educating and testing people before they are issued a driver’s license as well as extensive public awareness campaigns on the dangers of driving without a seatbelt, and driving while drinking or while using a cell phone. Nevertheless, as we know, even when people are aware of the risks associated with a certain behavior – such as drinking and driving – it doesn’t always change that behavior. Today, in spite of the well-known dangers associated with texting while driving, people still do it, even in states where the act has been banned. And while seatbelts and airbags have greatly reduced auto fatalities, they have also boosted driver confidence, causing some drivers to drive more recklessly (known as the theory of risk compensation or risk homeostasis).
It’s why the information security industry is conflicted about an internet “driver’s license,” a security safeguard that has been considered and debated by technology experts and politicians. As with the auto industry, even with adequate information safety training, there will always be a subset of users who will perform activities that they believe have acceptable risk or that are within their desired risk tolerance. Strangely, this phenomenon is often associated with those who are most experienced with technology – these “power users” tend to forgo security controls they deem unnecessary because they believe they are knowledgeable enough to avoid them on their own. There are also those who are simply easy bait, and fall for the same malicious links over and over again.
Some have suggested that user responsibility for information safety should be reduced or eliminated through the use of managed security services (for example third party URL inspection/blacklisting services or proxies) or other technologies, but what is really necessary is a shared responsibility between individuals, business, government and tech providers – after all, the vast majority of people follow security protocols. It is the small number of people – those repeat offenders – who don’t follow safe practices and can cause a major headache for businesses.
As such, companies need to sharpen their cybersecurity training programs so that they focus more on changing user behavior. At my company, we implemented regular phishing training campaigns that resulted in a measurable reduction in opened emails in each successive campaign. These campaigns consisted of email messages that mimicked common phishing techniques. Recipients who clicked on a link in the email were directed to a web page that informed them that they had failed a phishing test. The page provided tips for identifying phishing emails. As a result of the training, our rates for phishing test failure are below industry rates for similar companies.
Companies should also update HR policies to outline actions that can be taken against employees who repeatedly fail phishing campaigns (in accordance with country laws). That way, employees will know their company is serious about cybersecurity and they need to be, too. Annual information security and ethics training should also be mandated for employees.
Creating a cybersecurity coordination center to coordinate internal and external responses to security events can provide IT and InfoSec staff with awareness and communications about emerging threats and trends, both generally and specific to industries and the industries of customers. Externally, the center can assist with coordinating the response to threats and trends that require external communication. At Xerox, our own cybersecurity coordination center was honored with a CSO50 award in 2015.
Ultimately, applied risk research in the motor vehicle and other industries indicates that positive and negative behavioral adaptation will always be partial. Human error will always exist when users interface with technology, and even one errant click can cause a widespread incident or breach. Training and awareness campaigns can reduce the amount of user error, but they must be combined with other efforts to reduce the impact to a tolerable level. Layered security controls and managed security services that reduce the amount of direct user interface with technology are key components in achieving tolerance aligned risk.