When it comes to managing cyber risks, businesses often overlook one key vulnerability –their employees

Part of a technology risks series supported by

FMG Cyber

When it comes to cyber risk, firms consistently overlook one critical vulnerability: their employees. Exploiting this weakness is key to a successful attack.

For example, hackers use clever tricks to convince staff to reveal key pieces of information they will be able to exploit to gain further access to the network. This can be done by tricking people into either downloading some malware or giving information away on a website.

“The problem is that many businesses respond to this threat by saying, ‘We must train employees better,’ but the trouble is this is often not very realistic,” says Professor m Angela Sasse, UCL’s head of information security research and director of the science of cyber security research institute.

“For example, how can you tell people not to click on embedded links when part of their job might entail clicking on those links for legitimate business? Also, how much time can you expect your employees to spend studying a URL before they click on it to make sure that it’s OK? They have to get on with the job that they are paid for, right?

“So, when I go into businesses I ask: ‘Are links important to your company? If they are, then you can’t expect people not to click on them.’”

The problem with many cyber security policies is that they forget that businesses exist primarily to generate a profit. This consideration has to be at the heart of any cyber security strategy.

Busy staff

“It is impossible to expect people who are working hard – and most people have time constraints and too much to do – who are also not security experts, to disrupt their primary task and pay all their attention to these things,” says Sasse. “That would ruin most businesses from a productivity point a view.

“Many businesses are currently not supporting their employees properly and they think that they can just dump this responsibility on them.

“There is an unfortunate tendency among security specialists to think that humans are at fault for not spending all their time looking at security issues. However, in reality, it is ridiculous to think that the average person has the time and capacity to do this.

“People are sensitive to their productivity being compromised.”

Given this reality, the challenge is to design systems that can deal with risk and the need to be efficient while taking human fallibility into account.

“If firms expect their staff to make security decisions, then these have to be straightforward,” says Sasse. “They have to have simple rules that can apply across the board. All too often, staff have to evaluate whether certain rules apply in certain situations and it’s too much. If this approach was taken to health and safety, the health and safety officer would say that this was not acceptable.”

Management trends

The situation is becoming more critical in part because of trends in management. For a long time, cyber security was seen as the preserve of the IT department, but in recent years this responsibility has shifted towards the entire enterprise. Although this approach can be effective, Sasse also warns of potential problems.

“With this approach, there can be a kind of tacit complicity by management in the tendency of employees to put their productivity ahead of complicated, longwinded security measures,” she says.

“Whether for regulatory reasons, or whether it is the ‘industry standard’ to offer training for staff and place the responsibility on them, if it is taking too much time, employers are accepting – perhaps without admitting it out loud – that their employees will cut corners to get things done, because they can’t afford to get an order out late or upset a key customer.

“Security rules must become an easy habit. If they don’t become second nature, they won’t work, and far too many policies are just not workable.”

Sasse cites the example of a hospital where it might take 45 minutes for a caregiver to log on to the system in the morning. “That just won’t happen,” she says.

“They don’t have 45 minutes. Instead, the first person in will log on and everyone else will use their log in for the rest of the day – with all of the security problems that can cause, and the total loss of any hope of an audit trail.”

Dialogue needed

Rather than take a top-down approach, Sasse argues that staff need to be involved in developing security measures – and listened to when they give feedback.

“There needs to be a co-design process,” she says. “There needs to be dialogue. All too often, measures are suggested and designed by security experts who do not look at how these will work out in practice.

“The business owners should also set performance goals for the security people, [such as] that a process doesn’t take more than eight seconds or similar. Where this happened, the security people do respond to this.”

Sasse advises is to ask employees what the biggest sources of friction are in respect of technology and working practices. Then, the findings should be taken to the security people and a demand be made to find a better way of handling the problem.

“Get the security people involved in the business,” says Sasse. “The best security experts are already doing this; they understand their role is to be a business enabler, not merely thinking about risks but how to make things run better and increase productivity.”

A well-designed security system can offer many business advantages. It may enable them to operate in more ‘risky’ environments because of improvements in the way their security is managing risk. It can also help in the way they interact with customers.

“Perhaps [customers] are not using services offered through a PC, because they find the security arrangements too complex,” says Sasse. “By talking to them, it can become apparent that with a phone app, a greater degree of security and ease of use can be achieved, because the customer has more confidence there.

“Organisations may have been relying on a password for security. This can be a good system – if used frequently. However, if people don’t access the product every day, they may find it hard to remember a password and frustrating as a result. Instead, perhaps something graphical, picture-based or biometric might be better. It is vital to think around the problem to get results.

“In the future, more situations will arise where the customer won’t have to do anything and security will recognise them by their devices.”