A big promise with a big appeal. You often hear this in the world of cybersecurity, where you are often promised a simple and quick solution that will meet all your cybersecurity needs, solving your security problems in one go.
It could be an AI-based tool, a new superior management tool, or something else – and it would probably be pretty good for what it promises to do.
But is it a miracle solution to all your cybersecurity problems? No. There is no easy, technology-driven solution to what is truly cybersecurity’s greatest challenge: the actions of human beings.
It doesn’t matter how cutting edge your best defenses are. Perimeter firewalls, multi-level logins, multi-factor authentication, artificial intelligence tools – all of these are easily rendered ineffective when Bob from any service clicks on a phishing link in an email.
It’s not new to anyone
We have all heard this before. That humans are a major flaw in cybersecurity strategy is hardly news – or, at least, it shouldn’t be news. But just ask Uber or Rockstar Games if they thought their systems were safe from social engineering.
Both companies were hacked very recently because a hacker tricked an employee into doing something so against all security best practices that you wonder if the person who got screwed has ever heard news about computer security.
You might even wonder if this employee had any cybersecurity training.
In either case, the successful attack did not involve a very sophisticated attacker using state-of-the-art tools while exploiting as yet undisclosed vulnerabilities.
All it took was a simple social engineering message – something like “Hey Bob, I’m from the IT team, and we need to check something on your PC, so I’m sending you a tool to execute. Just click the link below.”
Yet we don’t learn
Social engineering was a driver of piracy over 20 years ago, and apparently we still haven’t moved away from it.
To add insult to injury, successful social engineering is not limited to non-technical organizations.
It’s very plausible that an unsophisticated user in a remote government department could fall into social engineering, for example, but much less someone working at a top tech company – and we see that Uber and Rockstar Games have been affected by social engineering.
At some point, as a cybersecurity practitioner with the responsibility of educating your users and making them aware of the risks they (and by extension the organization) are exposed to, you’d think your colleagues would stop falling for what is literally the oldest trick in the hacking book.
It’s conceivable that users aren’t paying attention during training or are just too busy with other things to remember what someone told them about what they can and can’t click.
However, social engineering attacks have made the headlines so consistently – and not just cybersecurity news – that the “I didn’t know I shouldn’t click on links in emails” excuse becomes more and more difficult to accept.
Reinforce the message forcefully – it’s your only option
There is no magic solution to the cybersecurity implications of human behavior.
Humans will make mistakes, and as with all avenues of life where humans repeatedly make mistakes, strengthening education is really your only option.
If tech-savvy companies like Uber and Rockstar Games can get it wrong, it can happen to anyone else too. The only option you have is to enforce cybersecurity best practices on every employee through rigorous educational programs.
And it’s not just users who need to be educated – you also need to reinforce these practices in your security team, covering patching, permissions, and overall security positioning.
There will always be a risk that a user having a bad day will click on a link promising that someone in a distant part of the world will try to give them millions of dollars if they only visit that website.
But, as with any approach to cybersecurity, the focus should be on minimizing and mitigating this risk. Constantly reinforcing and educating is your best defense.
Note: This article is written and sponsored by TuxCarethe industry leader Linux Automation. TuxCare delivers unparalleled levels of efficiency for developers, IT security managers and Linux Server Administrators looking to cost-effectively improve and simplify their cybersecurity operations. TuxCare Linux kernel live security patches and standards and enhanced support services help secure and support over a million production workloads.