Similar to most other notable security breaches of 2014, recent email leaks from Sony hack brought the issue of cyber security into spotlight. In the aftermath of the hack, one cannot fail to notice how only when such an event occurs, everybody suddenly seems to become aware of the threat that lies in wait in the cyber space.
More importantly, the question that frequently arises on these occasions is that of the extent to which people misinterpret their roles in cyber security. In relation to the freshest breach, a recent article on The Street yet again pointed to the problem of people’s behavior when it comes to securing their online accounts. Here, Frost & Sullivan Ltd. Consultant Jarad Carleton made an excellent point about business users’ insufficient awareness of the issue.
“Executives may be lax about connecting laptops that have been exposed to threats to corporate networks, or balk at using encryption to avoid entering another password. Companies typically have training for computer systems, sexual harassment or subjects, he observed, but often not for security,” notes Carleton.
Indeed, strategies for enhancing employees’ understanding of the ways they should approach corporate security are still critical aspects companies fail to handle. Despite the advanced systems they may be using to secure data transfer, a single weak password can cause a data breach. In the world where hyper-connected employees use multiple online collaboration applications and almost as many devices, this is certainly a significant problem. The Cisco’s statement that business processes are “as strong as the weakest link” is therefore not at all erroneous.
Even though people are often seen as a critical factor in maintaining a healthy computer security environment, not many businesses take this implication too seriously. This is evident in the lack of employee trainings, as well as people’s general tendency to believe that cyber security is not their responsibility.
Consequently, we keep seeing corporate data shared via public, unencrypted networks and business credentials simply written on notes pasted to computer screens. Moreover, the common practice of creating weak passwords and reusing them for both private and business accounts is still one of the activities few companies try to regulate.
Considering these tendencies, it’s unsurprising that a human error in one form or another accounts for a worryingly large portion of security breaches. One of the recent examples is the earlier celebrities’ photo leak from iCloud, which most probably came as a result of using weak credentials.
Suffice to say, in the business realm, such habits may have even more serious consequences. As illustrated in a white paper by Crucial Web Hosting, human factor was found to be a root cause of data breach in 35% of cases. By comparison, malicious or criminal attacks account for 37% of data breaches, while system glitch does so for 29%.
Obviously, there is a great discrepancy between how security regulations work in theory and in practice. This view is further supported in a research carried out by security specialists from major US and UK universities, which outlines the specific cases of security circumventions. Probably the major takeaway from the study is that what really happens in companies “doesn’t match the technology’s underlying assumptions or even purposes.” Security systems as they are cannot function properly without people and this is a sole reason why everyone – from employees to individual internet users should be educated on the best cyber security practices.
In fact, the very subtitle of this research points to this. Namely, it states that “Good Users do Bad Things,” which is certainly a convenient way to approach the issue. Typically, data breaches are not likely to occur because of employees’ disloyalty, but rather their insufficient understanding of the role they have in the story.
Some of the proposed solutions to deal with this issue are employee trainings that would encourage usage of strong passwords, two-step verification, as well as encrypted password managers. Introducing password management systems as an obligatory business tool could substantially reduce the risk of breaches, especially given the average number of online accounts employees use. Besides this, some rules and regulations concerning use of cloud storage and sharing applications could further minimize the possibilities of unauthorized data access.
Even the simple steps like these could contribute a lot to creating a more secure online environment in both corporate and private settings. Certainly, the system of corporate security is a highly complex one, and external attacks would always be a threat, but the general statistics could be lowered only if the people were more savvy with their password behavior.
Finally, it could be said that there were more than a few media attempts to point to an individual’s role in online security. However, most of these keep failing to show some long-term results as we still see “12345” and “password” being widely used to access online accounts. With hacking attempts becoming ever more sophisticated, this problem definitely needs more attention by both media and companies where the consequences can surely be devastating.
Top/Featured Image: By ITU Pictures / Flickr (https://www.flickr.com/photos/itupictures/8740778463/)