Firewalls. Backups. Anti-Virus. Device Management. There are many tools in the IT professional’s toolbox for protecting technology from the threats of the internet. Unfortunately, even the most protected devices are only as secure as the humans that use them. No amount of software is going to prevent a user from clicking on a link in an email, and the inherent flaws of the human condition make the easiest target for an internet attack the end user. Because humans are the leading cause of IT security incidents, it is imperative for business owners and security professionals to integrate the Human Layer into their IT Security framework.
When considering the methods for implementing a security plan for the humans working in your business, the nature of human vulnerability becomes quickly clear: humans are subjective, distracted and easily influenced. Thus, the most effective method of attack comes through what is known in the IT Security world as Social Engineering, or the use of deception to manipulate individuals into divulging confidential or personal information to be used for fraudulent purposes. Hit people where they’re psychologically weak, and they are easy targets for manipulation.
Examples of social engineering are everywhere. As one example in just the past week, a blast of emails recently made it through a client’s email security system informing several senior staff members that their Anti-Virus license had expired and required renewal. Several folks who received that email had no knowledge of the status of the Anti-Virus software on their systems, let alone its license’s expiration date. Thanks to overworked and underslept mental states, red alarms started going off, but for the wrong reasons. Emails quickly came in asking not if the email was legitimate, but why their Anti-Virus software had expired and whether their computers were at risk. Thankfully, they reached out to us before anyone clicked on the link in the email, but one errant finger could have placed the company and everyone who worked in it at serious risk.
Here’s a hypothetical example, uncovering another, even more urgent layer of the human element. In adjusting to a work-from-home workforce placed abruptly on us by the pandemic, members of your organization have migrated to relying heavily on Microsoft Teams for internal communication. Being based in the cloud, this means your server and all of your employees’ workstations are connecting to Microsoft servers regularly. Sniffers pick this scent up and suddenly you start seeing emails coming in offering all sorts of add-ons, freebies, enhancements, support, training, anything that might get you to click on the link in the email. They now know that you’re using Microsoft products for cloud communication, just from the act of you using it. They also know you’re new to it, which makes you more vulnerable. They use everything they can find out about you, in that very moment, to target you with content that strikes at your most vulnerable spots, and they are always adapting.
This shifting field of attack vectors causes us to realize that the implementation of IT security for the human layer must be an ongoing process, with regular reviews, trainings, updates and simulations. They didn’t make us do fire drills in school just to test the bells. Conditioning and repetition are vital parts of training humans in how to recognize and respond to threats.
Let’s next consider the impact of technology on how we form and maintain relationships, especially within the context of social distancing. Different types of people may have different opinions on the effectiveness and authenticity of virtual relationships, but even before government mandates brought compulsory hurdles to physical connection between people, many, especially in the younger generations, had already accepted virtual reality as their primary platform for connecting with others. Now, we’re all finding ourselves there, like it or not.
Just think of all the social engineering vulnerabilities this new paradigm poses. Thanks to the popular MTV show, the term “catfish” comes to mind, or people who subsume a fake identity online in order to connect with others behind a mask. The subject of the TV show, however, developing romantic relationships over the internet, is child’s play when compared to the sophistication with which similar tactics are used in spear-phishing and other social engineering attacks on businesses and their employees.
Consider the portions of your Facebook profile that are set to be visible to the public. Maybe you don’t think showing people that you live in Vermont and love cats is particularly concerning for the whole world to know. But what about that one Monday morning at work after a long weekend hiking and camping, sleep-deprived and sore, an email comes in marked important that appears to be coming from someone you work with about how they really need your help taking care of their cat? Do you stop and think if this person has ever told you they have a cat before? Do you check the email address the message is coming from, rather than just trusting the displayed name? Or do your instincts kick in and tell you “cat in trouble, must respond”?
Just like getting arrested, anything you say and do on the internet can be used against you in the court of social engineering. The simplest solution, just not doing anything on the internet, is not feasible in today’s business environment. So we are left to implement as comprehensive a strategy to protect ourselves, our business, and our employees, from these threats we will inevitably face.
Vermont Panurgy has been at the forefront of IT security and support for over 30 years. We would love to start a conversation with you about how we can implement a thorough, effective and ongoing strategy for your business to protect the Human Layer of IT security. Contact us today!