Users are dangerous

Users are at the forefront of most experiences when external users or customers interact with a company. Ranging from customer services to IT technicians, users will be using either published applications or those created in house for tasks specific to the company. With users having access to systems, comes the risk of data loss, corruption or data transferring into the hands of unauthorised people. Any compromised data integrity will result in reputational and financial damage. With recent EU GDPR laws having been updated and enforced from 25th May 2018, companies can now get a fine of up to 4% of their worldwide annual turnover and a ban on data processing. With such severe consequences, important processes must be in place within the company to mitigate risk and penalty upon breach.

IBM’s 2014 Cyber Security Intelligence Index stated that 95% of security breaches were caused by human error, with the highest contributing factor being malicious emails. There are many factors that can cause users to be the key to a security breach. With Cisco’s 2018 Annual Cybersecurity Report showing phishing the top entry point for a breach. A notable example of a phishing email attack was the 2015 Anthem data breach. It was believed to have started due to the stealing of “credentials of five different tech workers, possibly through some kind of “phishing” scheme” (Insurance Journal, 2015). Unfortunately, there are still many practices that users follow for ease of work, rather than the security of the company. Writing down or sharing passwords are prime examples of how users, seek the simplest way to work, without considering the implications and risks it involves. Due to the technical skills of most users, they are unable to fully understand the consequences of what these types of incidents can lead to. Other than financial and reputational damage, a breach and lead to the destruction of misuse of data. This In turn, without sufficient backups, could break the company and shut it down. Best practices to mitigate user risk. As with human error, expecting a 100% risk-free environment is nearly impossible to accomplish. Following industry best practices is key to mitigating potential dangers. Industry best practices will usually be set by the technology creator, for example, Microsoft and Active Directory or Cisco IOS.

It is important to apply all updates to any technology used from these manufacturers, as they will be patching any undisclosed or public security concerns. Hackers will constantly be finding bugs and exploits within technology. Users will be the hackers gate into a computer system. This will work by users allowing them access, usually by accident malicious code, most commonly within social engineered emails. Parallel with patching via vendors, systems should also follow all configuration best practises recommended by the vendor. Vendors will have completed rigorous testing on their technology so are best accustomed to make the best decisions on how to securely use their systems. In regard to basic user configuration, in a Windows environment, Microsoft have best practices on how to use Active Directory and Group Policy. Administrators are recommended basic steps such as password complexity and force password change every 90 days minimum. It will be important to only provide users with the lowest permissions they will need.

User Training will make a big difference to a company’s workforce. Teaching users about basic cybersecurity, for example, not clicking on links within emails that you were not expecting. A good example of this training will be phishing test software such as Sophos. It allows an organised and controlled sending of customised phishing attacks on behalf of the company. This will allow tracking of users who have actioned the suspicious email with a click. Once a company has a list of these users, it can pinpoint training to those who are susceptible to phishing attacks. Alongside these tests, users should undertake training, normally with a compliance department or IT. User attacks can start from poor user management. It is vital to remove and disable all accounts once a user has left, even more importantly, if they were an administrator to any system or were able to log in remotely. Disgruntled users can seek to cause damage to a company due to spite. With most companies using remote workers, it’s crucial to ensure that the users can continue to work off-site in conjunction with secure data. Device encryption together with 2-factor authentication is the safest method of creating such an environment. This will allow all data to safe if the user loses who has their laptop stolen. Conclusion

As much as users pose a threat to business, there are many ways to limit damage or prevent accidental damage to start with. With basic steps being taken by companies to ensure mitigation, as described by IBM’s 2014 Cyber Security Intelligence Index, only 5% of breaches would be successful. It is important to follow all steps ranging from patch management, configuration, user management, training, and encryption. Once all steps are firmly satisfied, a company should be safe from a breach resulting from a user. With staff turn around, there will always be a need to refresh these principles to ensure a continuously safe environment