13 Apr The human factor: five ways to reduce cyber risk exposure
Co-authored with Neil Griffiths and Danny Lam at Eighty20 Solutions
The evolution of working practices and rising cybercrime are upping the ante for vulnerability and data protection. While the attack surface grew during COVID thanks to proliferation in device types and locations, effective use of end point management solutions can do much to secure these. As the most vulnerable point of entry for any organisation is still likely to be its people, what can organisations do to better manage the human element in their cyber risk?
The pressure is building on organisations to double down on data protection and cybersecurity. The companies experiencing Cyber breaches of 2022 were damaging to both brand and negative impact on the business bottom line is still being reckoned with. As well as proposing new privacy reforms to hold businesses to account for incidents like these, the government is introducing new cyber risk management requirements for organisations responsible for securing critical infrastructure. Under these new protocols, board members across sectors including energy, healthcare, water, food transport and communications will be held responsible for failure to secure assets from cyberattacks.
Just what cyber risk compliance standards directors will be expected to meet isn’t yet clear. The Essential Eight mitigation strategies from the Office of the Australian Information Commissioner (OAIC) are a good measure of the framework organisations will be following But does Essential Eight address the human element that looms large in data breaches?
According to the Verizon 2022 Data Breach Investigations Report there was a human factor involved in 82% of data breaches globally last year. In their latest stats, the OAIC reports a fall of almost a third (31%) in notifiable breaches caused by human error compared with their last reporting period. However, phishing attacks still account for around a quarter (26%) of data breaches arising from cyber security incidents and compromised or stolen credentials make up another quarter (25%). In many of these cases, it’s humans that are being duped into handing over data.
While Essential Eight is an important cyber security framework to have in place, it has limited relevance to the policy, governance and settings you need to mitigate this human factor in your vulnerability management and protections. We share five ways to move your organisation forward with better controls and practices in place to keep your people informed and limit their potential for inadvertently causing a breach.
1. Train effectively and frequently
2. Run phishing 'tests'
Results from regular phishing tests are just one example of how IT teams can be proactive in staying on top of the cyber threat environment. Recorded outcomes from this sort of routine penetration testing produce important inputs for keeping cyber security training and mail system controls up-to-date. When gaps are detected, organisations can create or amend policies in their mail environment to prevent phishing emails from reaching employees in the first place.
3. Tighten up identity management
Taking a big step up in policies, processes and technologies for identity management is vital if organisations are to limit risk of a data breach. Having robust and actionable policies in place for defining and revalidating user access can keep employees from being a potential weak spot for leaking sensitive or confidential data. Tooling in MS365 and Azure Active Directory supports this for the operating environment but needs to be matched with a governance layer. Mandating a routine user review process with line managers will ensure users aren’t being granted access to data when it’s no longer necessary.
In the past, poor password security protocols have been another blind spot for compromising user access. While this issue hasn’t disappeared entirely, it’s gradually being eliminated thanks to biometric identity access – using fingerprint or facial recognition in place of passwords.
4. Sort out data architecture
Biometrics are just one example of advances in technology that can save humans from having to be vigilant about natural weaknesses that can turn into cyber risks. Without resorting to big brother levels of monitoring, technology can identify patterns in data traffic that should be explored. Keeping tabs on access to financial and contractual data, for example, can alert you to a potential loophole in data management.
This approach relies on defining your data architecture and classifying data as it’s created and/or stored. Once this is set-up, MS365 E5 makes it easy to apply controls to keep unsuitable data from being shared, internally or externally. It can also help with setting dates and intervals for auto-deleting or archiving data to stop it from being stored or retrieved for any longer than required for operations or compliance.
5. Make the most of Essential Eight
As we’ve said, the Essential Eight are more focussed on strategies and controls that can mitigate the cyber risks on a system and application level. On the other hand, adopting Essential Eight standards at each level of maturity will address many of the identity management and data access policies we’ve just touched on. Other Essential Eight standards – for disabling and whitelisting macros for example – can also help put a stop to breaches caused by humans accessing files or websites that enable macros to execute an attack. Keeping devices patched at the intervals recommended by Essential Eight can also prevent some of the more common cyberattacks levelled at humans rather than applications and systems.
For organisations looking to move up the maturity levels defined in the Essential Eight, MS365 E5 can be a cost-effective way to keep tooling simple and reasonably comprehensive. At Eighty20 we provide services to help organisations get the most value from the security benefits of their E5 licensing, as well as supporting adoption with change management and training. The service can also provide organisations with a framework to introduce processes and standards that fall outside of the E5 suite of security features.