Unless news headlines shout that some major business, government agency or celebrity was hacked, the public assumes their data is secure. However, that is hardly the case.
One of the ongoing problems with cybersecurity is getting the attention of the general public as to the seriousness of the issue. According to cybersecurity firm Risk Based Security, 2016 set a record for data breaches with more than four billion records stolen. According to the report, more than two billion of the stolen records were from breaches at Myspace, Yahoo and the FriendFinder Networks. More than 50 percent of the breaches occurred in Great Britain and America.
Of great alarm to employers, the same report also indicated that approximately 20 percent of all breaches involved insider activity. An organization can expend a great deal of resources defending the perimeter of their systems, only to have it all undone by an insider, either intentionally or unintentionally. Spear-phishing also remains one of the primary attack vectors by hackers. Using this more focused version of phishing, hackers often target specific members of an organization with a fraudulent email using the name of someone senior in that organization seeking sensitive information. Bowing to authority, the member then replies with the information that can then be leveraged to gain greater access, transfer funds, obtain vital information or any personally identifiable information of other staff members.
With the breaches seeming to be endless, what can be done to secure our data? In truth, no system is completely secure, especially when it gains the attention of a dedicated group of hackers, whether hacktivists, cybercriminals or state-sponsored hackers. The best thing any organization or individual can do is make it as difficult as possible to enter a system and hope the attackers tire and move on to easier prey.
Those tasked with defending our cybersystems will do their best to forestall such attacks, but history shows that such efforts are often in vain. The primary reason for the failure of cybersecurity is simply people. Humans operate our digital systems and humans make mistakes. By some estimates, the root cause of data breaches is attributable to human interaction in more than 90 percent of the incidents!
The best way to decrease these human errors is to create a strong cybersecurity culture in our organizations. It involves what is termed a ‘defense triad,’ the combination of technology, processes and people. Technology is the hard and software we utilize including firewalls, intrusion detection systems, anti-intrusion software and monitoring. Processes are the rules and guidelines we set for systems access, for example, who has what privilege to manipulate data, what can be moved or altered and what actions need to be taken should an intrusion be detected. People are the key to defense since they manipulate the data. They need to be trained and well educated in the safe handling of data and develop a questioning attitude about any contact from outside the organization.
Education is a major key to cybersecurity. Academic and training organizations need to not only teach the mechanics of security, but also educate individuals in how to think critically and stay one step ahead. Hackers are traditionally very clever people who need to be engaged by similarly clever defenders who are well trained and educated in how to defend their systems. Training provides the skills to manipulate these systems, but a questioning attitude is developed through education that opens the minds of employees and allows them to outthink hackers.
As 2016 has indicated, the attacks on our digital systems are only going to increase in intensity and sophistication this year, but with a well-trained, educated workforce, we can blunt those attacks and force hackers to seek easier prey.