Employees in the corporate security chain.

The health crisis has hit companies and their business hard: a study by Carbon Black reveals that between March and June 2020, teleworking is estimated to have increased by 70%, while the number of cyber attacks is estimated to have increased by 148%.

In this context of mixing professional and personal life, it is sometimes more complicated for employees to respect the security rules established by the company.

Long considered the "weakest link" in corporate security, employees are finally the first line of defence against cyber attacks on a company.

What if it was time for companies to reintegrate the human factor into their cybersecurity policy?

Social engineering

Michel Gérard, Chairman and CEO of Conscio Technologies, states that 70 to 95% of infections are "linked to user behavioural faults".

Indeed, cyber attacks are becoming increasingly sophisticated. Until recently, it was enough to check the correct spelling of an e-mail, its sender, etc., in order to ensure the veracity and security of a message.

Today, cyber attackers use a new formidable weapon: social engineering.

Social engineering is a technique used by hackers to establish a relationship of trust with the person they are trying to attack, in order to obtain enough personal information (email address, postal address, telephone number, contract or customer account number) to carry out an attack.

Jessica Clark, an American ethical hacker and the winner of one of the Defcon challenges, proved this. In this video (from 1'20''), Jessica Clark uses the personal information of the journalist's wife who is interviewing her (i.e. a simple mobile phone number) in order to reach her telephone operator, to modify her contract, and also to change the password of the account, thus excluding the real owner of her own contract.

This attack technique is widespread, and uses human weaknesses to achieve its ends, hence the growing need to train and educate employees.

Read more about social engineering and FOVI.

Insufficient software solutions?

We might think: "yes, but software and anti-virus solutions exist to protect us against cyber attacks". And indeed, software solutions can secure a company's activity, but only partially.

Take the example of phishing emails: some are easily recognisable due to spelling or grammatical errors, URLs with misleading domain names, a suspicious sender name, or a message asking for money or personal data, etc. However, phishing attacks today are much more sophisticated, much more elaborate and thus more deceptive.

If such phishing emails get past the anti-virus barrier, the last line of defence is the employee who receives the deceptive email in front of his or her screen. It is then necessary that they are sufficiently trained to be suspicious and to be able to recognise the attempted attack.

As far as social engineering is concerned, no software solution, unfortunately, can protect the company from this type of attack. The call to the President is a perfect example: no software solution can control the identity of the people calling the employees on the phone. Thus, employee education is of paramount importance.

Training employees in digital insecurity

Indeed, CIOs and other CISOs are not the only guardians of corporate security. An IBM study shows that more than 90% of cybersecurity incidents are linked to human error.

And according to a study conducted by Vitreous World in July 2020, 40% of IT managers consider employee cybersecurity training to be one of the main challenges in the coming years.

Cyber attacks have far-reaching consequences: consequences for business productivity, reputation, customer confidence and also financial consequences.

Many CIOs and CISOs are adopting the "Zero Trust" approach, which, as the name suggests, means never trusting anyone solely on the basis of a login, a user name or a device used. A login can be spoofed, a username can be spoofed, and a device can be stolen. Thus users are encouraged to constantly check the veracity of the message or the sender through various multi-factor authentication systems or through their work habits.

This approach was mentioned in the 2010s by John Kindervag, Principal Analyst at Forrester, who explains that "trust" is the fundamental vulnerability of any digital system. It clearly demonstrates the importance and centrality of the user, the employee, in the company's security chain.

Cybercriminals know and exploit human vulnerabilities. Franck Guicquel, head of partnerships for cybermalveillance.gouv.fr, talks about the "7 deadly sins" such as stress, fear, greed and envy. It is necessary to train employees in the various techniques used by hackers in order to make them aware of the realities of digital threats.

An aware employee will be more cautious, on guard, and aware of the stakes and the consequences that his or her inattention may cause.

Thus, cybersecurity issues are now in the hands of the company's employees. They are both the first line of defence against cyber attacks, but also the last to be able to react, when imperfect software solutions have let the threat through.

90% of attacks are attributable to the behaviour of employees. In this respect, employee training and awareness is an essential and indispensable element for the security of tomorrow's companies.

According to an Olfeo ebook (source 1), three aspects should be taken into account when setting up awareness actions:

• Recurrence: a real awareness strategy is continuous.

• Adaptation to the different interlocutors: it is necessary to address employees according to their level of expertise, their knowledge and their user profile. A recent Trend Micro study highlighted four user profiles illustrating the different behaviours of employees in terms of cybersecurity: the conscientious, the fearful, the ignorant and the reckless. Each profile is characterised by its habits, its apprehensions, and thus by the risks to which they are exposed. Coaching allows for this contextual awareness.

• To make people want to learn, without causing anxiety: to make people want to learn, to interest them and to involve them, so that they become actors in cybersecurity.

Thus, if employees are an essential link in the security chain of companies, training of the latter is necessary. Training that is adapted, continuous, flexible and personalised, in order to create safe and secure working habits and practices.

However, training employees in good cybersecurity practices remains the responsibility of companies.

Sources:

• Olféo, Ebook, "Facteur humain : prochain maillon fort de la cybersécurité"

• IT Social, "Cybersécurité au travail : les collaborateurs comme premier rempart", 10/11/2020

• IT Social, "Employés et cybersécurité : un tandem irréconciliable ?", 14/01/2021

• IT For Business, "Il faut remettre l’Humain au cœur de la cybersécurité", 28/01/2020

• Global Sign, "Qu’est-ce que l’ingénierie sociale ? Jouer sur la confiance"

Related blog posts:

• "BYOD and cybersecurity issues"

• "Cybersecurity of startups and VSEs"

• "Cybersecurity and VSBs : 5 small changes that will make a big difference"

• "Long-term support VS. short-term service"

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

Find out more about our employee training and awareness services!

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !