Balancing Security with Convenience and the Impact of the Human Element

Balancing Security with Convenience and the Impact of the Human Element

Balancing technology’s risks and benefits is an ongoing challenge for any business. Evolving technologies (for many, 2023 seemed to be the year of ChatGPT and typical applications of artificial intelligence) require careful management to be utilized securely and effectively. But how can organizations stay ahead of the curve?

Proactive strategies seek to eliminate or minimize the impact of cyber threats before they materialize. The FBI’s Internet Crime Complaint Center’s (IC3) 2022 Internet Crime Report, stated that “IC3 received a total of 800,944 reported complaints, with losses exceeding $10.3 billion. Interestingly, while the total number of complaints decreased by 5%, dollar losses increased significantly by 49%”. Of these threats, phishing attacks were, by far, the most reported crime type (with 300,497 complaints reported); social engineering continues to be a primary source of concern for organizations. Social engineering attacks take advantage of human vulnerabilities to gain access to assets. The success of social engineering tactics, such as those exhibited in a phishing attack, speaks to an adage frequently followed by cybercriminals—work smarter, not harder. Often, people are much easier to hack than technology, making them primary targets. From emails appearing to originate from the CEO requesting an immediate wire transfer to a phone call from someone claiming to be from IT and asking for remote access to a system, phishing schemes can take various forms. This variability can make them difficult to defend against effectively, and organizations are then left to deal with the financial, reputational, and operational consequences.

The Human Element Impact

While a strong cybersecurity culture undoubtedly calls for technological defenses that fit an organization’s needs, blind spots in security’s “human element” can render these measures null and void. These vulnerabilities can be the originating factor in a successful cyberattack; unfortunately, they can be the hardest for an organization to counteract. Bland, yearly training modules can be a distant memory to an employee when presented with a seemingly authentic, urgent email from the out-of-town CEO requiring an immediate wire transfer. In the age of AI and ChatGPT, an organization may face increasingly sophisticated phishing attacks.

Staying ahead of this type of threat starts with training and education that moves beyond a “check the box” format. A culture of security hinges on organizational participation and only thrives when given top-down management support. Providing clear, up-to-date policies and procedures for managing potential threats, developing reporting guidelines, practicing communication channels, and participating in tabletop exercises are all ways that an organization can minimize its risks. Security assessments can be instrumental in obtaining both a realistic picture of how written policies are implemented in real-time and a structure for prioritizing future improvements.

Cybersecurity and Third-Party Vendors

One such area needing improvement may originate outside of an organization; relationships with third-party vendors must be considered a critical aspect of a cybersecurity program. While an organization is preoccupied with securing its environment, educating its team, and investing in its defenses, it may fail to recognize that it is only as truly secure as its least certain third-party vendor, which has been granted access to its systems and/or network. Just as a phishing attack capitalizes on weaknesses in the human element, poorly maintained third-party vendor relationships open a door for effective attacks. Though an organization may have an onboarding protocol for new vendors that takes cybersecurity into account, existing vendor relationships are more likely to get lost in the shuffle if ongoing auditing is not conducted regularly. As organizations take a proactive approach to social engineering attacks, they should also carefully audit and manage their third-party vendor relationships. Both at the initiation of a new engagement and regularly scheduled intervals after that, an organization is responsible for asking the right questions and holding its vendors to its standards.

1. Take stock of who has access to what. Maintain access controls and keep an inventory of where data is stored.
2. Perform audits regularly and ensure that crucial information about each vendor relationship is collected. What cybersecurity standards are currently implemented, and is an incident response plan in place? How are organizations alerted in the event of a breach? How is data accessed and by whom, including any sub-contractors?
3. Incorporate the environments of third-party vendors into your organization’s risk profile and limit access when possible. New vendor agreements should clearly state cybersecurity standards and requirements.

Organizations are often surprised by the fact that cybersecurity is just as much a “human” issue as a technological one. Some of the most successful cyber attacks take advantage of the human element, even when technical protections are in place, and best practices are reflected in written policy. The strongest security cultures are those that proactively address both aspects. Support from upper management in upholding best practices, an understanding that security is everyone’s concern, and a dynamic approach that acknowledges the challenges brought about by evolving technologies are all pivotal. Where we gain convenience, we lose security—the most secure and effective organizations continuously attempt to strike a balance.

Ready to Secure Your Business’s Future?

Navigating the complexities of today's digital world requires more than just robust cybersecurity. It demands strategic foresight in your business's growth and transition plans.

Author Mark Lanterman - Computer Forensic Services