Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Awareness. Show all posts

Addressing Human Error in Cybersecurity: The Unseen Weak Link

 

Despite significant progress in cybersecurity, human error remains the most significant vulnerability in the system. Research consistently shows that the vast majority of successful cyberattacks stem from human mistakes, with recent data suggesting it accounts for 68% of breaches.

No matter how advanced cybersecurity technology becomes, the human factor continues to be the weakest link. This issue affects all digital device users, yet current cyber education initiatives and emerging regulations fail to effectively target this problem.

In cybersecurity, human errors fall into two categories. The first is skills-based errors, which happen during routine tasks, often when someone's attention is divided. For instance, you might forget to back up your data because of distractions, leaving you vulnerable in the event of an attack.

The second type involves knowledge-based errors, where less experienced users make mistakes due to a lack of knowledge or not following specific security protocols. A common example is clicking on a suspicious link, leading to malware infection and data loss.

Despite heavy investment in cybersecurity training, results have been mixed. These initiatives often adopt a one-size-fits-all, technology-driven approach, focusing on technical skills like password management or multi-factor authentication. However, they fail to address the psychological and behavioral factors behind human actions.

Changing behavior is far more complex than simply providing information. Public health campaigns, like Australia’s successful “Slip, Slop, Slap” sun safety campaign, demonstrate that sustained efforts can lead to behavioral change. The same principle should apply to cybersecurity education, as simply knowing best practices doesn’t always lead to their consistent application.

Australia’s proposed cybersecurity legislation includes measures to combat ransomware, enhance data protection, and set minimum standards for smart devices. While these are important, they mainly focus on technical and procedural solutions. Meanwhile, the U.S. is taking a more human-centric approach, with its Federal Cybersecurity Research Plan placing human factors at the forefront of system design and security.

Three Key Strategies for Human-Centric Cybersecurity

  • Simplify Practices: Cybersecurity processes should be intuitive and easily integrated into daily workflows to reduce cognitive load.
  • Promote Positive Behavior: Education should highlight the benefits of good cybersecurity practices rather than relying on fear tactics.
  • Adopt a Long-term Approach: Changing behavior is an ongoing effort. Cybersecurity training must be continually updated to address new threats.
A truly secure digital environment demands a blend of strong technology, effective policies, and a well-educated, security-conscious public. By better understanding human error, we can design more effective cybersecurity strategies that align with human behavior.

India's Digital Rise Sees Alarming Surge in Online Scams Targeting the Elderly

 

With India advancing in the digital landscape, the country is also witnessing a concerning rise in online scams. In recent months, thousands of individuals have lost substantial sums to these cyber criminals, either hoping to earn more money or after being threatened. Scammers employ new tricks, targeting people across all age groups, with a notable increase in elderly victims. Cyber criminals use increasingly sophisticated techniques to exploit the vulnerability and trust of senior citizens, causing significant financial and emotional distress.

In one case from Bengaluru, a 77-year-old woman named Lakshmi Shivakumar lost Rs 1.2 crore to a scam. It began with a call from someone posing as a Telecom Department representative, falsely claiming a SIM card in her name was involved in illegal activities in Mumbai. The caller mentioned a complaint with the Mumbai Crime Branch to add credibility.

Within hours, she received another call from individuals impersonating Mumbai Crime Branch officers, accusing her of laundering Rs 60 crore and demanding her bank account details for verification. Using threats of arrest and showing a fabricated FIR and arrest warrant, the scammers coerced her into sharing her bank details, ultimately transferring Rs 1.28 crore from her account, promising the money's return after the investigation.

In another case from Chandigarh, an elderly woman was deceived out of Rs 72 lakh under the pretense of a digital arrest scam. She received a call from someone claiming to be from the Central Bureau of Investigation (CBI) office in Andheri, Mumbai, falsely implicating her in a drug case connected to a man named Naresh Goyal and threatening to freeze her bank accounts.

The scammer linked her ATM card to the suspect and claimed obscene messages from her phone were circulating. Under immense pressure, she complied with the demands, participating in a video call where a fake police ID was shown. Over a week, the scammers defrauded her of Rs 72 lakh, promising to return the money after proving her innocence.

Older people are particularly vulnerable to such scams due to several reasons. They often struggle to keep up with the latest technology and digital security measures, making them easy targets for tech-savvy criminals. Additionally, older adults are more likely to trust authoritative figures and may not recognize the signs of deceit in official-looking communications. Their financial stability and natural inclination to trust and cooperate with law enforcement further increase their susceptibility.

How to stay safe and protect the elderly from scams

To protect the elderly from falling prey to such scams, awareness and vigilance are crucial. Here are some essential tips:

  • Inform elderly family members about common types of scams and the tactics used by fraudsters. Regular discussions can help them recognize and avoid potential threats.
  • Encourage seniors to verify any unsolicited calls or messages by contacting the official organization directly using known contact details, not the ones provided by the caller.
  • Ensure that devices used by the elderly have updated security software to protect against malware.

Fostering Cybersecurity Culture: From Awareness to Action

 

The recent film "The Beekeeper" opens with a portrayal of a cyberattack targeting an unsuspecting victim, highlighting the modern challenges posed by technology-driven crimes. The protagonist, Adam Clay, portrayed by Jason Statham, embarks on a mission to track down the perpetrators and thwart their ability to exploit others through cybercrimes.

While security teams may aspire to emulate Clay's proactive approach, physical prowess and combat skills are not within their realm. Instead, prioritizing awareness becomes paramount. Educating the workforce proves to be a formidable task but stands as the most effective defense against individual-targeted threats. New training methodologies integrate traditional techniques, emphasizing adaptability over repetition.

In cybersecurity, the technology operates predictably, unlike humans. Recognizing this distinction underscores the necessity for personalized training during onboarding processes. Interactive training acknowledges the complexity of human behavior, emphasizing adaptability to address evolving threats and individual learning preferences. Unlike automated methods, personalized approaches can swiftly adjust to cater to unique challenges and learner needs, fostering a deeper understanding of security practices.

Organizations must evaluate their readiness to combat AI-based threats, considering that human error contributes to the majority of data breaches. Prioritizing education and resource allocation towards cultivating an informed workforce emerges as a critical strategy. Utilizing security champions and fostering collaboration among teams are advocated over solely relying on automation.

Establishing a robust cybersecurity culture involves encouraging employees to share their personal experiences with security incidents openly. Storytelling proves to be a powerful tool in imparting valuable security lessons, promoting a sense of community, and normalizing discussions around cybersecurity.

Testing and monitoring employee responses are crucial aspects of assessing the effectiveness of security programs. Conducting simulated phishing or smishing attacks allows organizations to gauge employee awareness and readiness to detect and report potential threats. Active engagement and communication among staff members indicate the success of the security program in fostering a proactive security culture.

Moreover, while we may not engage in the direct confrontation depicted in "The Beekeeper," building a resilient security culture through awareness remains our primary defense against cybercrime. Encouraging employee participation, personalized training, and proactive testing are pivotal in equipping individuals to identify and mitigate potential threats effectively. The benefits of these strategies extend beyond the workplace, empowering individuals to navigate the digital landscape safely in both personal and professional spheres, and contributing to a safer online environment for all.

Fortifying Cybersecurity for Schools as New Academic Year Begins

 

School administrators have received a cautionary alert regarding the imperative need to fortify their defenses against potential cyberattacks as the commencement of the new academic year looms. 

The National Cyber Security Centre has emphasized the necessity of implementing "appropriate security measures" to safeguard educational institutions from potential threats and to avert disruptions.

While there are no specific indicators of heightened threats as schools prepare to reopen, the onset of a fresh academic term underscores the potential severity of any cyberattacks during this period. 

Don Smith, the Vice President of the counter-threat unit at Secureworks, a cybersecurity firm, has highlighted the current transitional phase as an opportune moment for cybercriminals. He pointed out that the creation of new accounts for students and staff, as well as the school's approach to portable devices like laptops and tablets, can introduce vulnerabilities.

Smith explained, "Summer is a time when people are using their devices to have fun, play games, that sort of thing. If you've allowed teachers and pupils to take devices home, or let them bring their own, these devices may have picked up infections and malware that can come into the school and create a problem."

Last September, six schools within the same academy trust in Hertfordshire suffered internal system disruptions due to a cyberattack, occurring shortly after the new term had started. 

Additionally, just recently, Debenham High School in Suffolk fell victim to a hack that temporarily crippled all of its computer facilities, prompting technicians to work tirelessly to restore them before the commencement of the new term.

Schools are generally not the primary targets of concentrated cyberattack campaigns, unlike businesses, but they are considered opportunistic targets due to their comparatively less robust defenses. 

Don Smith emphasized that limited budgets and allocation priorities may result in schools having inadequate cybersecurity measures. Basic digital hygiene practices, such as implementing two-factor authentication and keeping software up to date, are crucial for safeguarding vital data.

Moreover, it is imperative for both students and teachers to be regularly educated about cybersecurity threats, including the importance of strong passwords, vigilance against suspicious downloads, and the ability to identify phishing attempts in emails. Mr. Smith noted that cybersecurity is no longer solely the responsibility of a small IT team; instead, all users are on the frontline, necessitating a general understanding of cybersecurity fundamentals.

A recent study revealed that one in seven 15-year-olds is susceptible to responding to phishing emails, especially those from disadvantaged backgrounds with weaker cognitive skills. Professor John Jerrim, the study's author, emphasized the need for increased efforts to help teenagers navigate the increasingly complex and perilous online landscape.

The National Cyber Security Centre, a division of GCHQ, has previously issued warnings regarding the growing prevalence of ransomware attacks targeting the education sector. Ransomware attacks involve criminals infiltrating a network and deploying malicious software that locks access to computer systems until a ransom is paid. Although ransomware attacks temporarily declined during the first quarter of 2023, they have been steadily increasing since then.

SonicWall, a cybersecurity company, emphasized that schools, being repositories of substantial data, are attractive targets for hackers pursuing financial and phishing scams. As schools rely more heavily on internet-based tools in the classroom, they must prioritize cybersecurity, both in terms of budget allocation and mindset, as the new school year approaches.

In response to these concerns, a spokesperson for the Department for Education affirmed that educational institutions bear the responsibility of being aware of cybersecurity risks and implementing appropriate measures. This includes establishing data backups and response plans to mitigate potential incidents.

"We monitor reports of all cyberattacks closely and in any case where there has been an attack, we instruct the department's regional team to offer support," they added. "There is no evidence to suggest that attacks like this are on the rise."