Part 3: Cyber Security and Human Error

Privilege Misuse

Privilege Misuse is the ugly duckling of the Human Error category.  This deals with employees who have access to private and confidential data and have nefarious uses for such data.  Verizon pointed out that while 99% of the threat actors are internal to your organization, they saw a growth in inside employees colluding with external actors. 

From an IT security perspective, consider implementing a Zero Trust environment where employee access to data assets is limited to their job duties.  Also look at hiring practices to see if applicant screening can be improved.  Company culture is a focus area not found in an IT cyber security best practices book or similar resources. 

Back in the 1950s, the USSR created a top-secret program to build nuclear weapons.  They took their best scientists and their families and put them in a city that the country built.  No one could leave the city.  In the years this program remained top-secret, not a word got out.  Why?  Living in this city was far better than anywhere else in the country.  Quality of life was so good that no one wanted to ruin it.

What does this have to do with dealing with an insider threat?  If an employer can create an exceptional working environment, employee satisfaction and engagement should reduce the temptation to risk their job situation.

This idea is a big ask which has a lot of questions, such as where does one start that process?  You could call Rue Insurance and talk to our President, William Rue Jr.  He runs a company that has been recognized numerous times by NJ BIZ Magazine as a Best Places to Work in NJ company.

Use of Stolen Credentials

 A bad actor’s obtaining stolen credentials is like taking the keys to one’s front door.  When a hacker has an employee’s or key person’s user ID and password. they can log right on to the organization’s network.

The Verizon report shares an age-old problem that has plagued the online world of “logging in” to a web portal: a poorly selected and unprotected password.  Even Readers Digest wrote an article on the most common passwords used in 2023.

I challenge you to look at the Readers Digest article and ask this:  If your company does not have a strong password protocol in place, then an employee of your company could very well be using a password on the Readers Digest list. 

In addition to implementing a strong password protocol, implementing Multi Factor Authentication (MFA) is also important.  If and when an employee’s credentials are stolen, the hacker should still be blocked by MFA from getting into your network.

If you want to dive deeper into MFA and what to consider in selecting an MFA program, check out this article.

Social Engineering

Social Engineering is the final culprit under Human Error.  The Verizon report states that this is the second largest attack vector against small, medium, and large businesses. Check out this reference:

https://www.rueinsurance.com/the-link-between-multi-factor-authentication-and-cyber-insurance/. 

CIS defines social engineering as “…a broad range of malicious activities accomplished through human interactions on various platforms, such as email or phone. It relies on psychological manipulation to trick users into making security mistakes or giving away sensitive information.”

As an example, a manufacturing client of our agency obtained component parts from a contract manufacturer in China.  The client had worked with this vendor for well over 15 years and they had an excellent relationship.  One day the client received a follow-up email with an updated invoice saying the vendor’s banking information had changed, and instructing the client to issue payment to a new banking account.  The request appeared to be legitimate. Our client never suspected something was wrong, and wired the money from their bank to the new bank.  Two weeks later they received another email from their vendor following up for payment.  After a few different emails, it was discovered that the China vendor had been hacked.  The hackers saw the outstanding invoice for our client and re-sent a fake invoice with new banking info.  Our client’s bank could not recover the money because the new bank in China said the account was closed and money was withdrawn.  Our client lost over $70,000.

CIS has specific controls to review when it comes to Social Engineering.  As was mentioned with respect to the topic of Error, education of staff at from the top of the organization to the front-line employees is essential, to ward off social engineering attacks.

CIS Control 14.9 poses a particular reason to focus on advanced training for high profile roles in a company is because they are specific targets for hackers.  If a hacker can gain access to or persuade a CFO in a company to do something, generally that person’s authority may not be questioned by someone who works for them.

For example, if a hacker can convince a CFO to pay a fraudulent invoice from a known vendor of the CFO’s company, then most likely any person assigned to handle that matter will not question the CFO’s request to pay the invoice.

When it comes to phishing attacks, insurance companies are starting to ask companies to implement an ongoing phishing education program, including testing of employees with fake phishing emails.  The reason for this is that phishing attacks are a major source of business email compromise claims against organizations.

In summary, having a robust cyber awareness education program which engages everyone from a company’s top leadership to front-line staff, along with a supportive culture, will go a long way toward reducing cyber breaches caused by human error, and helping a company thrive in an Internet connected world.

Image by Cottonbro Studio on Pexels.com