This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Humans are often the weak link in any cybersecurity defense. People behave unpredictably because we are sometimes driven by emotion and by an innate desire to trust and please other people. Also, we tend to take the path of least resistance, even if that path inadvertently creates a cybersecurity risk.
Attackers understand these human traits, which is why they are frequently successful in exploiting people to get around more predictable machine-based defenses. As an example, consider phishing. It’s estimated that globally, 8 million phishing email messages are opened every day, and of those, 800,000 recipients of the malicious messages click on the embedded links. Ten percent of the people who click on a link actually give their information, such as login credentials for personal applications or their employer’s applications.
According to Verizon, 89% of business-related security breaches in 2015 came about as a result of phishing attempts by organized criminals. What’s more, Microsoft estimated in 2014 that the annual worldwide impact of phishing could be as high as $5 billion.
Earlier this year, the security awareness company Wombat Security Technologies published its “State of the Phish report” which indicates phishing is still a large and growing problem for organizations of all sizes. In the survey behind the report, 60% of respondents reported the rate of phishing attacks has increased overall. Incidents of spear phishing increased 22% from 2014 to 2015, with two-thirds of the survey respondents saying they experienced spear phishing in the past year.
While phishing is a serious concern for many organizations – especially those without a strong security awareness program – it’s certainly not the only area where end users tend to be the weakest link. For its report “Beyond the Phish,” Wombat analyzed the answers to nearly 20 million questions asked and answered around various topics in its Security Education Platform over the past two years. These questions are part of different organizations’ end user training and security awareness programs. According to the report, many people still struggle in the following areas:
It’s important to note that these statistics come from companies that use a security education platform to help employees learn to reduce risky cyber behaviors. It’s possible that people who work for companies that don’t have formal employee training might miss an even higher percentage of the same questions.
Is the time and expense of attempting to modify risky end user behaviors through security awareness training worth it? After all, if one-fourth to one-third of workers that have been trained still struggle with key cybersecurity topics, what is the value of training? Plenty, according to a report by the Aberdeen Group entitled “The Last Mile in IT Security: Changing User Behaviors.”
Report author Derek Brink writes that the proportion of infections that result from user behaviors is estimated at between 70% and 95%. Thus it stands to reason that if user behavior could be modified to avoid risky actions, then malware infections will go down. Indeed, empirical before-and-after training click rates analyzed by Wombat show that malware infections can be reduced by 45% to 70% through user awareness and training.
Another Aberdeen research study shows that user awareness and training provides another benefit to companies: there is a strong and consistent correlation between investment in this type of training and the achievement of top business performance. In short, companies perform better when their workers receive IT security training. These research results can be found in the Aberdeen report "Successful IT Security Projects Invest Not Only in Technologies, But Also in People."
Though humans are often the weak link in cybersecurity, with a little awareness training and some solid behavioral guidelines, we can shore up that link.