We’re human beings, and this is something criminals take advantage of. However a cyberattack is designed, it often exploits human flaws or weaknesses. Information that individuals and the company as a whole disclose about themselves on digital channels and media represent sources for attackers. What’s more, patchily updated systems, unknown and unmaintained shadow applications and a negative error culture within the organisation all make forced intrusion easier. Below, we turn our attention to the human aspects that make it easier for cybercriminals to enter and work their way through a company’s IT system (see figure).

Human errors and system-related gaps open the door to cyberhackers.

Social Media

With social media, the name says it all: they are social and media. This means they work because people interact with one another and share and disseminate information. This makes them a perfect El Dorado for cybercriminals, who can tap into two useful sources of information at once:

• Private information: On social media, employees and managers share details of what they get up to in their spare time, and disclose information about time off or holidays, hobbies, family and sports activities, cultural and language preferences and places where they like to stay. This makes it easier to establish personal contact and awakens the victims’ interest.
• Business information: Business networks and many company websites provide precise information about the organisational structure, roles, functions, areas of responsibility and competencies within the company. Photos, names, email addresses and direct telephone numbers are stored. When it comes to good employer branding, companies also talk about entrepreneurial purpose, values and their corporate culture.

The rapid advance of social media has put companies in a real dilemma. On the one hand, they need a presence in order to present themselves to employers, investors, customers, suppliers and the general public as a trusted authority and contemporary dialogue partner. On the other hand, they reveal information that makes it easier to carry out personalised and tailored attacks. It’s important for companies to understand that such data is available and that internal information is no longer a secret.

Phishing

Attacks via phishing email are still the most common access method. With phishing attacks, cybercriminals pose as a trusted communication partner via fake websites, emails or mobile text messages in order to persuade the other party to take damaging action and compromise cybersecurity. As a result, employees perform a transaction, disclose user data and passwords or directly activate malware, for example. Phishing takes advantage of two very human characteristics at the same time: good faith and the desire to get something done quickly. It’s very rare for someone to intentionally click on a malicious hyperlink.

Cyber-resilient companies regularly make their entire workforce aware of phishing and how it’s designed to look. There are various software solutions available that can integrate a phishing alert button into a company’s email application. This is used to automatically check a suspicious email or, in unclear cases, have experts check it and determine whether it’s legitimate, spam or a case of phishing. A quick daily test click on this tool is without a doubt more beneficial than hastily clicking on a phishing email.

Passwords

Hand on heart: how many different passwords do you have for all your personal and business logins? At some point, creativity simply runs out of imagination and the overview is lost. Most people have a set of just a few simple, memorable passwords. They like to keep them somewhere close at hand, so they can access them quickly and easily. This makes password hacking a piece of cake. Even worse is reusing passwords, meaning that an attack on one system can quickly provide access to several other systems and services.

Just like key management is essential for facility management, sound password management is essential for effective cybersecurity. This is why it’s advisable to have a separate long and secure password for each client user account, which is changed after a certain period of time. It’s also worthwhile deploying tools for the professional management and assignment of passwords and using two or multi-factor authentication as an additional layer of protection. Businesses and individuals are recommended to use a more secure password management solution that allows passwords to be synchronised across multiple devices. 

Shadow IT

With increasing work mobility and the popularity of home offices and remote working, private end devices like mobile phones, tablets, laptops, routers, scanners, memory sticks and printers are often used for business purposes as well. What’s more, apps or cloud services are also installed on them or they’re used to download business data. More and more, we’re also seeing the use of private storage locations (NAS, cloud) to store or back up business information. This is referred to as shadow IT, because the security of these systems and applications can’t be fully controlled or guaranteed by the company. It can be assumed that employees act in good faith – in other words, they don’t deliberately install insecure or data protection-critical infrastructure and software. Yet shadow IT is widespread, and poses significant security vulnerabilities and increased cyber risks.

Shadow IT also often grows within companies, for example through software and services introduced by the business, such as in the cloud – bypassing the company’s IT and security.

In any case, it’s important to get a clear picture of who’s using shadow IT, how they are using it and what risks are involved. As a result, the infrastructure and programs in use must be checked with regard to their security standards and be officially permitted, or alternatives must be defined. Finally, guidelines and controls should be established and, above all, employees should be made aware of the risks. 

Error culture

“A man who has committed a mistake and doesn’t correct it is committing another mistake.” Although this insight is as old as its originator Confucius himself, it’s still extremely relevant. That’s because a company’s prevailing error culture is critical to its ability to respond to a cyber incident. Anyone who’s afraid of being punished for unintentionally clicking on a harmful link and so doesn’t report it may do more harm to the company than if they were to inform the relevant department immediately. This would enable them to quickly diagnose the problem, get a clear picture of the damage that’s been done and is yet to come, and take appropriate measures to clean up the situation.

There’s no such thing as 100% security. A company must accept that it can’t prevent the ominous click, no matter how trusted the relationship is with its employees. Instead, it should establish a positive error culture. It’s essential that the people concerned report these inadvertent clicks immediately so that the emergency plan developed for this purpose can be activated without delay. In this respect, literally every second counts.