Patching The HUMAN Vulnerability
We’ve addressed the recent vulnerabilities to internet-based services, all of which have a technical fix/countermeasure, like Logjam, GHOST, or POODLE. Unfortunately, there is one category of online vulnerability that cannot be avoided, those that fall into the category: HUMAN. That’s not an acronym, like POODLE. It’s in all caps because we are all vulnerable. We’ve all received that phishing email that was so convincing, we almost clicked that link. (And maybe you did click the link, we’re not here to judge!) In fact, we talked about social engineering attacks with a personal example, in a post on How to Protect Your Data.
Those who perpetrate these crimes simply go where the people are. In the past, they reached out mainly via email, sending the same email to thousands of people hoping for the few who took the bait. (Hence “phishing.”) The prevalence of social networking sites like Facebook, Twitter, and Instagram have given criminals a place to cultivate more information and make their con more convincing.
Social engineering, or the act of psychologically manipulating people to get them to give up confidential information, is just one way that humans are a risk to data security. Let’s look at a few others.
1. Curiosity. The old saying that curiosity killed the cat is still true today. You’ve probably seen the posts on Facebook that say things like, “Share this post and watch what happens next,” or “What are you doing in this video?” Now pop-culture sites are catching on with “click-bait” headlines like, “Check out this list of 10 people who actually exist. You won’t believe #7!” Humans just can’t resist being curious, so a link to free audio or video content can often be the front door that lets in the criminals who plant the virus, key stroke logger, or malware. A great many of the dangers that exist on the Internet rely on this predictable human vulnerability.
2. Laziness. We are creatures of habit. Change makes us anxious. It’s easier to leave your password the same for four years than it is to change it frequently. And, it’s easier to create passwords using a seemingly safe or benign thing like your favorite food or the name of the street you lived on as a child, than it is to create and memorize a random string of characters, letters and numbers. It’s easier to have one password used across multiple platforms than it is to remember unique, safe passwords for several different websites. Getting comfortable with laziness can cause problems.
3. User Error. To err is human, right? Right. According to IBM’s 2014 Cyber Security Intelligence Index, 95% of all security incidents involved human error. One major type of error is sending out sensitive data using methods that are not secure.
How to patch the human vulnerability
Unfortunately, there is no patch. But there are a few things you can do that can help mere humans become less of a risk.
1. Educate. As with many things, education is the first step in improvement. Encourage staff to read up on security. Send them articles about the latest threats. Almost everyone’s digital life extends beyond their work, so they have have an interest in security that relates to other parts of their lives too. Make sure your staff members at every level are aware to what degree they are responsible for data security.
2. Identify protocols and empower staff. When it comes to human error, many mistakes can be avoided using a system of checks and balances. Make sure all staff have access to training. Put protocols in place for updating passwords, (make them expire automatically if possible) and then set dates for reviewing data security protocols. Have your staff show you that they have a lock set on their screen saver or ask them about their system for managing passwords.
3. Put tools in place. If you’re going to require staff to change passwords on many systems, use a password manager application that will keep passwords safe and requires you to remember only one password. If staff are going to need to send large files or sensitive data, make sure your SendThisFile account, which encrypts data in transit and at rest, is available to them. Many companies use SendThisFile as an isolated cloud that allows them to monitor and control their staff access to sending out large amounts of data. Files can be restricted (whitelisted or blacklisted) by domain or IP address to prevent human errors when sending messages. Managers can even monitor audit logs to make sure that there is no unusual account activity. Questions about how to do any of that? Give us a call at 855-736-3844 and find out more.
Remember, SendThisFile is a leader in secure and robust file transfers and your partner in data security.