Home »  blog »  Humans--The-weakest-thread-in-the-cybersecurity-fabric-By-Mitish-Chitnavis--CTO--iValue-InfoSolutions-

Humans: The weakest thread in the cybersecurity fabric By Mitish Chitnavis, CTO, iValue InfoSolutions

Cybersecurity threats are constantly evolving, but one of the most persistent dangers comes not from machines, but from human errors. From unintentional mistakes to lack of action, employees and users continue to be a weak link in cyber defences. These errors range from downloading malware-infected email attachments to using weak passwords.

A recent study found over one-third (35%) of respondents in India experienced a cloud data breach last year, with human error being the top cause (52% in India, 55% globally). Even the most robust systems can fail due to simple human oversights. For instance, Uber fell victim to a data breach following a cyber-attack on Teqtivity, a software company that offers asset management and tracking services to the ride hailing app. The perpetrators behind the breach, operating under the alias 'UberLeaks,' posted confidential company information purportedly obtained during the breach on the hacking forum BreachForums.

Attackers didn't use some fancy zero-day exploit. Nope, Uber simply forgot to renew its Transport Layer Security (TLS) certificate. This seemingly minor oversight led to the exposure of sensitive user data, highlighting the role of negligence in human errors.

Why Human Errors Are So Pervasive

Human errors stem from two key areas – skill-based mistakes due to inadequate training, and decision-based errors often involving malicious intent.

With sophisticated phishing and social engineering attacks, employees can unknowingly compromise security. Fatigue and stress contribute as overburdened staff are prone to mistakes. Carelessness with data handling or oversight in patching systems also has consequences. For instance, Toyota announced in 2022 that customer details may have been compromised over 5 years due to an exposed access key in their app's source code. The breach occurred because a section of the source code for T-Connect, an app that allows customers to connect their phones to their cars, had been posted on a source code repository, GitHub, in December 2017. This code contained an access key for the server, potentially allowing unauthorized access to customer data for five years.

On the decision side, convenience often overrides security when people reuse passwords or share sensitive data for expediency. The sequence of events leading to the breach began with a seemingly innocuous act - an employee accessing a personal Google account on a work laptop. This compromised account provided the gateway for attackers to infiltrate Okta's internal support system used for managing customer tickets.

Leveraging stolen login credentials, the attackers were able to steal session cookies and tokens, granting illicit access akin to that of legitimate customer support agents. The breach evaded immediate detection and was first identified by external security researchers, taking Okta weeks to confirm the incident. Unfortunately, this was not an isolated occurrence, bearing similarities to a previous breach in 2022 involving a trusted third-party vendor. In both cases, human actions enabled the attacks that technology alone failed to prevent.

Human errors are not limited to conventional actions; they extend to how we interact with technology. An alarming example of this is the leakage of proprietary information by Samsung employees through ChatGPT, an AI-powered language model. Despite the use of AI for various tasks, improper use can lead to sensitive information being shared inadvertently. This underscores the need for strict controls and guidelines regarding technology usage within organizations to prevent data leakage through unconventional means.

Insider threats also loom from disgruntled employees seeking personal gain. It is important to note that insider threats are a significant concern worldwide, including in the APAC region. In fact, about 31% of all data breaches globally were caused by insider threats, that is, a contractor or an employee. Here emotions override logic, training, and skills.

A Multi-Pronged Approach to Address Human Errors

We can't eliminate human risk - that's unrealistic.

But recognizing the complexity of human dynamics is the first step toward building robust defences.

While technology can protect us, it is difficult to simplify human nature into rules and procedures. People are complex, driven by diverse motivations and making decisions based on complex cognitive processes. What may seem a clear security violation to one person could be justifiable to another depending on personal circumstances or viewpoints. The unpredictability of human behaviour makes addressing insider threats a unique challenge. Though technical controls are imperative, they must be coupled with fostering an ethical, transparent culture where employees feel valued and psychological influences are considered.

To mitigate human errors, organizations must take a multifaceted approach. This includes investing in comprehensive training programs, implementing robust security policies and procedures, promoting a culture of cybersecurity awareness, and ensuring that employees understand the consequences of their actions. Technology, while essential, cannot replace human vigilance and responsibility when it comes to cybersecurity. As threats evolve, organizations must ingrain secure practices into everyday behaviours and processes.

The way to do it is by creating a foundation that promotes cyber-secure culture. This cultural shift ingrains security considerations from the design phase of systems and processes, extending to everyday behaviours. Security awareness should be an integral part of every employee's role, emphasizing the collective responsibility to safeguard sensitive data and information.

Embracing a ‘Zero Trust’ approach is crucial, where nothing is trusted without verification – not even inside the network. The principle of "when zero is better than 1" emphasizes the need to validate and authenticate all users and devices, irrespective of their location, before granting access. This approach minimizes the risk of insider threats and lateral movement by cybercriminals.

Train, Retrain, Repeat

Addressing the lack of knowledge and awareness is just as essential. Regular, comprehensive cybersecurity training programs can equip employees with the skills to recognize and respond to threats effectively. These programs should cover topics like identifying phishing attempts, safe web browsing, and data protection best practices.

Organizations must continually assess the effectiveness of their cybersecurity measures. Tracking key metrics, such as the reduction in malware incidents and policy violations, is vital.  Additionally, collecting qualitative feedback from employees on the relevance of security awareness content assists in tailoring programs to address specific needs. When combined with quantitative metrics, this data enables insightful analysis to refine and target training for maximum impact.

Investing in continuous skill development creates an empowered workforce and strong human firewall to complement technological controls. With proper knowledge and motivation, people can become one of the most powerful protections against cyber threats.

While not perfect, strategic human-centric planning and cultural resonance provide the best safeguard against the most unpredictable cyber variable – us.