About 15 years ago, a game show took public humiliation to new heights (or depths, depending on one’s perspective) by branding unsuccessful contestants as the weakest link in the group. They were then ushered offstage to the tune of the most soul-crushing “goodbye” in television history by the host.
Well, that game show is now off the air, but according to a recent Forbes article by Social Media and Compliance Specialist Joanna Belby, the weakest link in cybersecurity is, unfortunately, still very much alive: employees.
In the article, Belby plucked quotations and advice from moderators of a February Legaltech panel that was aptly titled “The Weakest Link: Employee Practices Around Cybersecurity”. According to moderator Judy Selby, a Partner of BakerHostetler LLP:
Employees are at the root of most cyber breaches. With recent breaches in the press, we tend to focus on technology, however these events mostly happen because of employee behavior. It could be as simple as a well-meaning employee sending business documents home to work on over the weekend, or because an unprotected laptop was stolen, or because an email was forwarded to the wrong person. Breaches can also occur maliciously by disgruntled employees as well. The impact of employee behavior on cybersecurity is an important issue, and probably isn’t getting as much attention as it should.
Belby goes on to list key ways that organizations can protect their assets and reputations from being assailed through the “weakest link” (a.k.a. employees) in their cybersecurity defense system:
- Get C-Suite to buy into the fact that cybersecurity is not exclusively an IT problem; it’s organization-wide.
- Use stronger passwords that are at least 20 characters, and a mix of upper case, lower case, and symbols. Passwords should be changed monthly as well.
- Implement a program to auto-delete emails. Never store files in email and don’t let employees send emails from work to home (or to any other unencrypted account).
- Train all employees to understand how spear phishing works, and how to avoid them. Bad actors are getting much better at this and using social networking sites and other publicly-available information to craft very convincing fake emails.
- Make sure that employees use encrypted reusable media (if they must use them at all).
- Prevent employees from accessing potentially insecure web apps to store or share information.
- Create and enforce social media policies that both govern what can and cannot be posted, and use technology to control which features are acceptable or off limits.
Concluded Belby, “If businesses are held to a higher [cybersecurity] standard, they will need to strengthen the `weakest link,’ by training employees on proper behaviors in addition to investing in modernized policies, processes, and technology to protect personal information — or face stricter sanctions and reputational risk.”
While Belby’s advice is wise and her points practical and actionable, the fact remains that even the most robust cybersecurity system cannot be bulletproof. Advanced malware is remarkably sophisticated, and often designed to pray on specific vulnerabilities and weaknesses.
Furthermore, the growing use of mobile devices along with remote workers and teams means that there are simply far too many endpoints for IT staff to scrutinize around the clock. All it takes is one employee to visit a website, click a link, forward an email, log onto to an insecure network, or perform any other seemingly ordinary task for a breach to occur.
And if that weren’t jarring enough, we’re now seeing a pattern emerge where organizations are under attack for weeks, months, and even years without even noticing. In such cases, it is third parties — e.g. law enforcement, banks, credit card merchants, etc. – that are breaking the bad news.
In light of this, organizations that want to fortify their “weakest link” need to switch their cybersecurity approach from prevention to detection. Doing so allows them to proactively identify and shut down compromised end points, and equip their IR teams with the accurate information they need to rapidly and effectively remediate the breach — and say “goodbye” to bad actors.
To learn about more weaknesses in prevention-based security solutions check out our recently released report, “State of Perimeter Security Defenses.”