Rethinking the Weakest Link in the Cybersecurity Chain

The cybersecurity chain consists of IT systems, software, networks and the people who interact with this technology. Most cyber researchers consider humans to be the weakest link in the cybersecurity chain. Nine out of 10 (88 percent) data breach incidents are caused by employee mistakes.¹ Employees are also often unwilling to admit to their mistakes if organizations judge them severely. Based on this information, it could be deduced—and is often discussed in the cybersecurity industry—that employees are the weakest links in the security chain. However, it is worth considering that employee mistakes are only a symptom of the actual weakest link: The gaps within an organization’s security awareness training and cybersecurity culture.

Common Employee Mistakes

Some common employee mistakes that lead to data breaches include the following:

• Phishing—Phishing is a cybercrime in which scammers try to lure sensitive information or data by disguising themselves as a trustworthy source.² One in four employees has clicked on a phishing email at work, and men were twice as likely as women to fall for phishing scams.
• Misdirected email—Emails sent to the wrong recipients either by mistake or willfully can have dire consequences if the data in the email are confidential. Many well-known data breaches have been caused by misdirected emails. For example, in 2020, a teaching assistant at Stanford University, Stanford, California, USA, was removed from the staff after using a course enrollment list to recruit for a private enterprise, which is a US Family Educational Rights and Privacy Act (FERPA) violation. Misdirected emails have also caused many political data breaches.³
• Shadow IT software and services—The use of systems, applications or software without explicit approval from the IT department can also be the source of data breaches. Employees often choose to use shadow IT to work more efficiently because most shadow IT software are convenient to use. Some common examples of shadow IT include productivity applications such as Trello and Slack, physical devices such as flash drives, and programs used for converting PDFs to Microsoft Word.⁴ The risk with shadow IT comes mainly from the licensing, compliance and testing perspectives. Shadow IT does not come under the purview of the organization’s IT infrastructure audit; therefore, it is difficult for the cybersecurity team to have insight into the risk that it introduces and if it has controls in place to counter the risk.
• Weak passwords and password sharing—These common vulnerabilities can be mitigated to an extent via mandated information security policies and training.
• Public Wi-Fi networks—Public networks are often unencrypted, which makes users easy targets of common hacks such as man-in-the- middle (MitM) attacks. The best way to prevent this is to always use a virtual private network (VPN) to ensure that network traffic is secure.⁵ It should be noted that while these mistakes are common, security incidents can arise from other sources as well, such as the insertion of unauthorized devices into workplace computers, which could contain malicious hacker code and cause data breaches within an organization.

Methodology

Research was conducted with a group of 102 participants over a period of two weeks. The participants work mainly in the IT sector and do most of their work via computers. The majority of participants are from the United States and have less than 10 years of work experience. More than 25 percent of the respondents were female (figure 1).

The participants were contacted via LinkedIn and sent an online survey with five generic questions and five knowledge-based questions about common employee mistakes that lead to data leaks. For every correct answer, one point was awarded, which was used to calculate a final knowledge score. Participants were then sent security training information, after which they were asked to answer the same questions one week later. Based on the answers given in response to the knowledge-based questions, a knowledge score was calculated, which was used to measure the effectiveness of the cybersecurity training. The scoring was based on five knowledge-based questions that addressed the following topics:

1. How participants would react to a sample spam email
2. The definition of phishing
3. Whether participants thought misdirected emails could lead to an EU General Data Protection Regulation (GDPR) violation
4. Whether participants have shared passwords at work and if they think it is a good practice
5. How to stay safe on public Wi-Fi networks

Data Analysis and Results

The data collected over the course of two weeks from 102 participants were analyzed and expressed as percentages and proportions for the purpose of this study. Figure 2 summarizes the data on organizational security training for the study population. The majority of the participants received yearly security training and reminders at work, and 75 percent of them think that their organization does not provide enough cybersecurity awareness training to equip them to react to cyberthreats. One-quarter of the survey respondents use or had used shadow IT software at work without the explicit approval of the IT department.

Figure 3 lists the test scores for the knowledge-based questions asked prior to and after the cybersecurity awareness training, which are calculated and expressed as percentages. The correct responses after training significantly increased for each of the knowledge-based questions.

Figure 4 shows the example email that was included in the questionnaire to help answer the first question. The email should be deleted and marked as spam because it is a phishing email.

Source: Phishing.org, “Phishing Examples,” http://www.phishing.org/phishing-examples

Figure 5 displays the cumulative knowledge scores earned before and after training. Due to the security awareness training provided, the cumulative knowledge scores increased by more than 20 percent. Frequent cyberawareness training greatly improves employees’ cyberawareness and better equips them to respond to cyberthreats.

The Importance of Security Awareness

The human component long been considered the weakest link in the security chain. This study was intended to shift such a way of thinking and instead emphasize that the human link is only as effective as an organization’s security culture and awareness training. The PricewaterhouseCoopers (PwC) Information Security Breaches Survey also reported similar findings: Survey respondents believed that inadvertent human error (48 percent), lack of staff awareness (33 percent) and weaknesses in vetting individuals (17 percent) were all contributing factors in causing the single worst breach that an organization had suffered.⁶

THIS STUDY CLEARLY DEMONSTRATED THAT MOST EMPLOYEES CONSIDER THE SECURITY AWARENESS TRAINING OFFERED AT THEIR ORGANIZATIONS TO BE INSUFFICIENT AND IN NEED OF IMPROVEMENT.

A significant portion of this research study’s participants also used shadow software, which can cause security vulnerabilities in an organization’s IT infrastructure. According to Forbes,

Associates most often use shadow IT devices to access social media (39%), followed by downloading apps (24%), games (13%), and films (7%). Hackers, organized crime and state-sponsored cybercrime organizations rely on social engineering hacks, phishing, and malware injection across these four popular areas to gain access to enterprise networks and exfiltrate data.⁷

This study clearly demonstrated that most employees consider the security awareness training offered at their organizations to be insufficient and in need of improvement.

POOR SECURITY HABITS ARE A SYMPTOM OF WEAK SECURITY TRAINING AND A LACK OF SECURITY CULTURE WITHIN THE ORGANIZATION.

Similar findings suggest that improving security within an organization through adequate education and training can increase users’ basic knowledge and judgement of information security while helping prevent human errors and carelessness.⁸

Organizations can conduct internal training teams or use third-party contractors. Organizations should prioritize timely and effective methods of security training for their employees, and they should consider leveraging new technologies, including gamification, to increase user interest in IT compliance, thereby enabling wider adoption of IT compliance and cybersecurity awareness.⁹ The culture at the organization should be modified by including steps such as sending periodic cybersecurity best practice emails, conducting periodic phishing tests and rewarding employees who correctly report phishing to the IT department.

Conclusion

The often-repeated statement that humans are the weakest link in the security supply chain must be questioned. Poor security habits are a symptom of weak security training and a lack of security culture within the organization. Humans make mistakes, but with proper training and regular reminders, this vulnerability can effectively be mitigated. By incorporating effective and regular cybersecurity awareness training and a cyberawareness culture within an organization, the human component of the cybersecurity chain can be strengthened, no longer leaving it considered the weakest link.

Endnotes

¹ CISOMAG, “’Psychology of Human Error’ Could Help Businesses Prevent Security Breaches,” 12 September 2020, http://cisomag.eccouncil.org/psychology-of-human-error-could-help-businesses-prevent-security-breaches/
² Porter, K.; “What Is Phishing? How to Recognize and Avoid Phishing Scams,” NortonLifeLock, 25 September 2020, http://us.norton.com/internetsecurity-online-scams-what-is-phishing.html
³ Tessian, “11 Examples of Data Breaches Caused By Misdirected Emails,” 17 March 2021, www.tessian.com/blog/data-breaches-caused-by-misdirected-emails
⁴ Gutierrez, R.; “Managing Shadow IT,” OneNeck Blog, 17 June 2021, http://www.oneneck.com/blog/cloud/managing-shadow-it
⁵ Sebastian, G. S.; “A Descriptive Study on Cybersecurity Challenges of Working From Home During COVID-19 Pandemic and a Proposed 8 Step WFH Cyber-Attack Mitigation Plan,” Communications of the IBIMA, vol. 2021, 17 February 2021, http://ibimapublishing.com/articles/CIBIMA/2021/589235/
⁶ PricewaterhouseCoopers (PwC), “2015 Information Security Breaches Survey,” http://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-03.pdf
⁷ Columbus, L.; “Shadow IT Is the Cybersecurity Threat That Keeps Giving All Year Long,” Forbes, 15 December 2019, http://www.forbes.com/sites/louiscolumbus/2019/12/15/shadow-it-is-the-cybersecurity-threat-that-keeps-giving-all-year-long/?sh=59da0c1b5561
⁸ Shahri, A.; Z. Ismail; N. A. Rahim; “Security Effectiveness in Health Information System: Through Improving the Human Factors by Education and Training,” Australian Journal of Basic and Applied Sciences, vol. 6, iss. 12, 2012
⁹ Sebastian, G. S.; “How to Increase Adoption of IT Compliance and Cyber Awareness,” International Security Journal, http://internationalsecurityjournal.com/adoption-of-it-compliance/

Glorin Sebastian, CISA, CISSP

Is an IT risk and security senior consultant at a Big Four accounting firm and has more than six years of experience. He specializes in SAP applications, IT, business and security controls.

Phanindra Kolluru, CRISC

Is a senior SAP security implementation consultant at a Big Four accounting firm and has extensive experience in SAP; governance, risk and compliance (GRC); access controls implementation; and IT risk and control assessments.