Cyber Security and the Human Element
Modifying human behaviour to minimize risk
05 October 2021
Every year, the UK government conducts its "Cyber Security Breaches Survey" to help organisations understand the cyber security threat landscape, including the impact of breaches and how breaches occur in the first place.
Regarding how the breach came about, the results show that, year-on-year, 80-90%* of breaches occur in UK companies because of employee behaviour. This could include staff members inadvertently clicking a link in a phishing email, downloading an attachment, giving away information to a third party after being tricked by a legitimate looking request, or failing to check a site visitor's ID.
Intertek NTA was commissioned to run a phishing campaign against an organisation last year on the premise that the business had managed to secure a small number of PlayStation 5 consoles, and users had to "click here" to join a queue (that never ended!) and enter their details while they waited. The clickthrough rate was enormous at over half of those employees targeted.
In many of our physical social engineering exercises to assess cyber security threats, we've accessed buildings or office floors by taking advantage of a staff member's good nature. Playing the "I've forgotten my pass" line has worked multiple times, as has following a group of staff coming back from team drinks on a Friday. Often, pretending to be busy, or looking like you know where you're going is enough – nobody wants to pester the rushed businessperson on the phone. This reluctance for staff to challenge an unknown visitor by asking whether they have signed in, or their good-natured willingness to trust that the person is indeed who they say they are, ends up as an exercise in the delegation of responsibility. These positive aspects of human nature present a gaping vulnerability that intruders take advantage of.
We've found that some of this apathy comes from employees' belief that they are spectators rather than participants in organisational security – "Why would a hacker want my information?" or "This information is useless to anyone outside of my organisation." This problem isn't unique to cyber security, this is inherently a human problem whereby if we haven't seen or experienced the consequences, it's easier to deny it. We talk a lot about context in a previous blog post and how this sort of behaviour can be turned around when people are given the full picture.
Hollywood has made us believe that hacking is a complicated ornate dance, when the reality is that most breaches occur because of an opportunistic fraudster taking advantage of an average person's lack of cyber awareness and good nature.
If more people understood that they weren't the "goal" for the hacker, more like the "gatekeeper," they may appreciate the gravity of using easy-to-remember passwords, signing up for something personal with a work email, or offering a friendly smile and turning a blind eye to an unknown visitor. It's easy to shrug off intervention when you don't understand the consequences, but a lot harder to remain a bystander when you realise you could be the catalyst of something a lot more damaging.