‘Don’t forget human element': cyber experts
Written by Peter Walker
Organisations must not forget about the human element of cyber security, working with HR teams and staff to deter insider threats, according to a panel of experts at the Information Security Europe conference.
Jenny Radcliffe, the founder and director of Human Factor Security, commented: “I’m always sceptical of people and businesses who focus only on the technology side, keeping the human side separate – attackers don’t see it that way, people are often the best targets.
“That approach does the industry a disservice,” she continued, pointing out that every employee has a price or pressure point.
Research just last week revealed that nearly half (45 per cent) of office workers would be willing to sell their firm’s corporate information, according to cyber security startup Deep Secure, which found that a quarter of employees would accept £1,000 as the price for giving away company information to outsiders, whilst five per cent would offer it for free.
Sian John, Microsoft’s EMEA chief security advisor, explained that such attackers are very rarely malicious to begin with, but something changes while they are at work.
“Conventional hacker tools are less useful for detecting these kind of threats – the people will already have access and may know where to find the secrets – so it has to be a combination of HR and cyber security approaches,” she stated.
“You must first understand what normal looks like, in order to spot anomalies,” John added, noting that machine learning can be helpful to work this out.
Radcliffe said that with ‘spearfishing’ attacks, hackers can manipulate staff into working against their company, so it’s important to teach people how to deal with such intrusions.
“You can’t just throw money at these things, it’s a long and sometimes difficult process, but you have to be truthful with employees about the consequences,” she stated, adding that it’s hard to find the balance between being honest and scaring staff.
Keyun Ruan, an EMEA security specialist at Google Cloud, agreed that security risks are increasingly shifting from corporate network attacks to those focused on individual identities.
“Cyber insurance policies are improving, alongside better response procedures and media training, but the biggest challenge today is that companies don’t know where there data is stored or how to access it - there’s still a lot of work to be done on internal data control management.”