Information moves quickly in the digital environment. Electronic transfers of information allow different parts of organizations to communicate with little to no lag time and provide management better visibility to the day-to-day activities within the organization.
Digital file transfers also come with risks. Protecting information on Internet servers and cloud storage has proven more complicated than securing physical files. Hackers and other unauthorized users demonstrate daily how vulnerabilities in the information security and cybersecurity environment can expose sensitive data to outside parties, which leads to liabilities, reputational damage and other serious consequences to the victim organization.
To ensure that information security in the cyber environment is adequately protected, your organization needs to understand its primary threats to cybersecurity as well as what steps can be taken to protect against those threats. The first of our series, Seven Ways to Strengthen Your Cybersecurity, explores the key definitions with which organizations should be familiar as well as the considerations when the human element is involved in a possible breach of your digital information.
What Does Cybersecurity Entail?
Cybersecurity is part of information security. In its simplest form, information security refers to protecting electronic and physical data from unauthorized access. Outside users who do not have adequate permissions to use the data may disclose, disrupt, modify, record or destroy valuable, private data, which presents significant problems to the organization trying to keep this information safe. The realm of cybersecurity focuses on protecting the digital access points to data, such as computers, smart phones, computer networks, and Internet servers.
Both physical and electronic data need oversight in order to ensure they are adequately protected. This oversight, or management, typically involves a process and a set of internal controls that help an organization regulate access to their key data. The controls should also indicate when processes are not functioning as they should. For instance, controls should trigger notifications that a server is bogged down with multiple requests or mass emails are being sent to request data from each person or users are requesting information that they typically do not ask for because all are signs that a cybersecurity breach may have occurred or is in process.
Which controls an organization puts in place and the monitoring of those processes should reflect an organization's largest sources of risk. They should also be regularly evaluated for their effectiveness.
The Human Element
The largest risk for cybersecurity breaches or other IT security incidents comes from human error. Human error manifests in a number of ways, including:
- System misconfiguration
- Poor patch management
- Use of default usernames and passwords or easy-to-guess passwords
- Lost devices
- Sending sensitive information to an incorrect email address or from a personal email address
- Double-clicking on an unsafe URL or attachment
- Sharing passwords with others
- Leaving computers unattended when outside the workplace
- Using personally owned mobile devices that connect to the organization's network.
It may appear that common sense could help mitigate most of these slip-ups, but in practice, the human element is much more difficult to manage. Hackers using social engineering (defined as activities manipulating the human tendency to trust) may be able to trick employees into divulging information or clicking on emails that employees might have otherwise avoided.
For example, in 2016, reports showed that some scammers were posing as executives and asking human resources departments for employee W-2 information. The information could then used to file fraudulent tax returns on behalf of the employees. Phishing exercises are also commonly used where unauthorized users send emails posing as legitimate organizations or people and ask for personally identifiable information, such as Social Security numbers, credit cards, bank accounts and network log-in credentials.
In order to address the human element involved in cybersecurity and other information security incidents, management should examine its control environment and implement protocol that can minimize the risk of an error leading to something more serious. Employees should be trained at least annually about the handling of removable media, such as flash drives, computers, smart phones and email protocols and the human error risks in their environment.
Other Ways to Improve
The human element is only one of the factors that make an organization vulnerable to information security incidents. Our Seven Ways to Strengthen Your Cybersecurity series will explore other considerations and best practices in more detail, including:
- Security over mobile devices, wireless devices and removable media, including employee training and best practices in policies;
- Lessons from data breaches and what the statistics tell us about common cybersecurity targets;
- Data breach notifications laws, and how they may impact your response to a information security incident;
- Third-party service provider considerations and your responsibilities when using a cloud or other type of external provider;
- Logical security considerations, including encryption, password and user access; and
- What management should know about your IT department.
Stay tuned to learn more about the next topic in the series, security over mobile devices or other forms of removable media. If you have specific comments, questions or concerns about your organization's cybersecurity or vulnerability to human error, please contact us.
Seven Ways to Strengthen Your Cybersecurity
- Monitor the Human Element
- Secure the Small Things
- What We Can Learn from Other Incidents
- Know Your State Notification Laws
- Questions to Ask About Third-Party Providers
- Logical Security
- What Management Should Know About the IT Environment
Published on June 06, 2016