W mti.com E ukinfo@mti.com T +44 (0) 1483 520 200

Enterprise Cyber SecurityAddressing the Human Factor

Contents

Cyber security is a key challenge for all organisations, growing

almost daily in complexity. An increasingly mobile and distributed

workforce, expanding use of cloud resources and growing legacy

software and hardware issues mean organisations must secure

multiple attack surfaces across complex, constantly changing IT

estates. Cyber criminals are, of course, quick to exploit the many

opportunities presented to them by these circumstances.

Meanwhile, a steady stream of legislation makes additional

demands, each requiring time, expertise and other resources. Such

regulations, though designed to protect organisations, individuals,

customers and suppliers, add to the over-all cyber security challenge

which every organisation must address.

Data breaches are a serious matter. Financial and other regulatory

penalties may be imposed, either via general legislation such as

GDPR, or more specific regulations such as those relating to the

payment card industry. Intellectual property may be lost and

significant reputational damage suffered. Mission critical data, such

as client databases, may be corrupted, rendered inaccessible or

stolen.

Various issues must be considered and managed in order to

minimise the risk of a breach. These include the use of technology

solutions to protect key infrastructure elements such as networks,

endpoints and applications, and tools to gather and exploit threat

intelligence.

Such technologies typically dominate any discussion of cyber

security matters, often leading to the adoption of diverse, poorly

integrated point solutions. However, there is another issue to take

into account, fundamentally important but often largely overlooked:

the human factor. According to a recent report by the Information

Commissioner’s Office 80% of reported breaches in Q4 2017/18 were

the result of human or process error.1

It is essential that any cyber security strategy addresses the human

factor carefully and thoroughly. This document explores seven key

types of individual to consider, their characteristics, the risks they

may present and examples of how those risks may be addressed.

The Overlooked Human Factor

80%

of reported breaches in Q4 2017/18 were the result of human or process error

The Overlooked Human Factor

Cyber-Risks by User Type

The Way Forward

New users

Developers

Malicious Insiders

IT Administrators

Benign Third Parties

Senior Management

Malicious Third Parties

Cyber Security Terminology

The cyber security world is fast moving, with existing threats constantly evolving

and new ones emerging. Keeping up with the terminology alone is a challenge.

Look out for this icon throughout this guide for explanations of some common

cyber security terms.

In this guide you will learn about the critically important but often overlooked human factor in cyber security, seven key user types and the risks they present, and how to address these risks.

Technologies to Address the Risks

An Independent Cyber Security Benchmark

Assessing Your Cyber Security

Next Steps

1 Source: https://ico.org.uk/action-weve-taken/data-security-incident-trends

New Users

Overview

Individuals new to the organisation, moving to a new department, or

simply new to a system or process, typically operate initially without

the benefit of experience. Over 75% of large organisations suffered

staff-related security breaches in 2015, and half of the worst of these

were caused by human error.2

They may not be aware of best practice, process and system

weaknesses that must be catered for, or specific system security

features that should be employed in prescribed ways. They may

unwittingly take unnecessary risks.

Even those new users who have been well trained in the security

requirements of their position may be at greater risk of making

mistakes than more experienced individuals.

The Risks

Focused on learning and excelling in their new role, new users often

overlook key security issues. They may access inappropriate data,

services and other resources, or open risky emails or attachments.

Spear phishing attacks will often target new users in order to

capitalise on their lack of experience. In the case of ‘whaling’

attacks, targeting new senior executives with access to highly

valuable or sensitive information, the damage can be significant or

even disastrous. More generally, new users may also be vulnerable

to water holing attacks, in which specific web destinations which

they are known to frequent are compromised.

As a result, new users at all levels in the organisation are at

particular risk of malware attacks, including ransomware.

New users, not fully aware of security best practice and protocols,

may also be more likely than others to engage in risky behaviours

such as transferring sensitive data to portable storage devices or

forwarding emails to their private email accounts. Working from

home or over public wifi may expose them to further risks.

Phishing

An attack intended to trick

targeted individuals into

giving up privileged

information, often login

credentials or financial details.

Phishing attacks are typically

made via emails designed to

look like bona fide messages

from trusted bodies.

Successful cyber-attacks

typically begin with a phishing

email, and users continue to

be taken in, despite improved

knowledge of this type of

attack.

1Cyber-Risks by User TypeIn this section we look at

seven key user types

within your organisation and beyond it, who present specific cyber security risks.

Ignore them at your peril – they’re often the cyber criminal’s easiest way through

your technological defences.

2 Source: https://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-03.pdf

IT Administrators

Overview

IT Administrators and others in similar roles typically have

accounts with extensive user rights. Having compromised such

an account, cyber criminals can make use of those rights to gain

access to a much wider range of resources than would be the

case with a standard user’s account.

The Risks

With upwards of 80% of data breaches the result of weak or

compromised login credentials, user accounts with elevated

privileges present significant potential for damage to the

organisation. Privileged accounts are a key security vulnerability

for most organisations today. As a result, phishing attacks are

often aimed specifically at IT Administrators.

The potential for damage goes well beyond the theft or

corruption of sensitive data. With access to one or more of the

organisation’s social media accounts, great harm can be done to

its reputation and brand. Similarly, by sabotaging the

organisation’s cloud environment, day to day operations can be

heavily impacted.

2Senior Management

Overview

Typically having access to valuable information, Senior

Management Team (SMT) members are prime cyber-attack

targets. They, and their immediate support staff, such as PAs, are

often unaware that they sit near the top of the cyber-criminal’s hit

list, making them especially vulnerable to social engineering

attacks.

The Risks

SMT members are often targeted with spear phishing and

whaling attacks. Highly tailored to the target individual, these

attacks are typically designed to gain access to sensitive

information.

Their high profile makes them easier to target with well-

researched spear phishing and whaling attacks. Travelling

frequently, at home and abroad, they may use insecure public wifi

hotspots, putting them at risk of MITM attacks.

Further compounding the risks, C-suite members are often the

group of employees most likely to fail to follow established

policies and procedures.

3

Spear Phishing

A phishing attack aimed at a specific

individual, or a small, tightly defined

group of individuals, typically relying on

detailed knowledge of their interests,

jobs, families or other similar matters.

Whaling

A spear phishing attack aimed

at a specific high value target

or targets such as C-level

executives.

MITM

Exploiting weaknesses in

public wifi networks, hackers

mount Man-in-the-Middle

(MITM) attacks by intervening

in communications between

users and the local wifi router.

Traffic that should pass

directly between the user’s

device and the router is

instead routed through the

hacker’s device, allowing

them to inject malware and

collect sensitive corporate or

personal information and login

credentials.

80%

of data breaches are the result of weak or compromised login credentials

Developers

Overview

Developers and others in similar roles usually have more extensive

rights than the average user. In some cases, they have similar rights

to those of an IT Administrator.

They often feel hindered in their day to day work by security

solutions and restrictions. As a result, IT may grant them wider-

ranging rights than they actually need, typically one-by-one, over a

period of time. This is especially common where the individuals

concerned are working on business critical applications.

The Risks

Phishing and spear phishing attacks are frequently aimed at

developers, as cyber criminals seek to exploit the elevated

privileges often found on their accounts.

Developers with extensive user rights may also present insider

threats, intentionally or accidentally, as a result of the generally

weaker security in the development environment.

4Benign Third Parties

Overview

Trusted individuals from outside the organisation, such as those

working for contractors and suppliers, are often granted

unnecessarily extensive user rights on the organisation’s systems.

Attacks mounted through third parties are a serious concern. In

2017, 56% of the organisations surveyed for the Ponemon Third

Party Data Risk Study had suffered data breaches resulting from

such attacks.

The same research also shows that more than one in two

organisations do not know which third parties they share

sensitive information with, rising to a sobering 82% for nth-party

relationships. Meanwhile, 57% have no clarity on the efficacy of

their third parties’ data protection policies.3

The Risks

Third party users may be inadequately aware of approved

security practices within the organisation, as well as being less

motivated than employees to adopt such practices.

Should a third party account be compromised, the impact on the

organisation will depend on the privileges in place on the

account. Examples include reputational damage resulting from

unauthorised access to social media accounts, and degraded

organisational capabilities resulting from compromised cloud

resources and services.

Disguised Scamware

Attackers inject malware into a trusted

application, so that when users install or update

it, their devices are compromised. This attack

type was successfully executed through the

popular cleanup and anti-malware app CCleaner

in 2017, affecting millions of users.

Pretexting

If attackers can create a believable story, they improve

their chances of tricking their targets into falling for their

phishing attack. Often undertaken by phone, pretexting

is the process of gathering specific information for such a

story. Phishing emails may also be combined with follow-

up phone calls, to encourage recipients to respond.

5

Bad USB Cable

In a development of the established

Bad USB Stick attack type, attacks

can now be mounted using a just a

compromised USB cable, perhaps

plugged into a laptop to charge a

phone. A chip hidden in the cable

injects keystrokes into the target

machine, triggering actions such as

the downloading of malware. Other

USB devices such as mice have also

been used in this type of attack.

Watering Holes

Attackers inject malware into

a website known to be

frequented by the targeted

users. When a user visits the

site, the malware takes

advantage of vulnerabilities to

compromise their device.

Watering hole attacks are

often aimed at specific

industries, but may also target

the wider population through

more widely used sites.

Mouse Hovering

This attack type takes

advantage of vulnerabilities in

various popular applications to

launch malware when the user

hovers their mouse over a link.

Mouse hovering capitalises on

the fact that users will often

hover to see where a link goes

before clicking it – ironically, to

avoid following untrusted links.

57%

of organisations have no clarity on the efficacy of their third parties’ data protection policies

Phishing and spear phishing attacks are frequently aimed at developers

3 Source: https://www.opus.com/ponemon

Malicious Third Parties

Overview

Whether motivated by ideologies, personal grudges or simply the

desire for quick and easy profits, malicious third parties remain a

major threat.

Hackers employ a wide range of social engineering and

technological attack vectors, ranging from the ongoing flood of

phishing emails, through man-in-the-middle (MITM) attacks on

insecure wifi networks, to ingenious uses of such apparently

innocuous items as USB cables.

The Risks

Visibility of hackers on the organisation’s network is a key challenge.

Often, having gained access via phishing attacks, they remain

undiscovered for months at a time, quietly syphoning off sensitive

data or tampering with critical systems.

Data breaches arising from such attacks can not only seriously

impact the organisation’s day-to-day operations, but also expose it

to reputational damage and fines under regulations such as GDPR.

6Malicious Insiders

Overview

It is thought that at least 10%of attacks originate from within the

targeted organisation.4 Malicious insiders, often motivated by

dissatisfaction with the organisation, attack from a position of

strength, knowing the IT environment they are targeting.

The Risks

Malicious insiders may exfiltrate data, selling it on or taking with

them to a new employer. Alternatively they may seek to

deliberately damage the organisation’s assets, for example by

changing configurations and settings, or spinning cloud resources

up or down.

The impact on the organisation can be extensive, examples

including the passing of intellectual property to competitors, the

interruption of key services, the contravention of data protection

regulations and brand damage resulting from the hijacking of

social media accounts and other communications channels.

7

DMZ

“Demilitarised Zone” – a

network segment reserved for

less trusted users, to keep

them away from sensitive

resources.

Malware

A broad term covering all

software designed to

penetrate, damage, disable or

compromise IT systems.

Two-factor Authentication

The verification of a user’s

identity by two unrelated

means, such as a password

and a unique code sent to the

user’s mobile phone.

Data Exfiltration

The deliberate copying or

moving of data to individuals

or users not authorised to

access it. Often data

exfiltration attacks progress

for some time, silently filtering

sensitive information out of

the organisation, before they

are discovered.

Data Leakage

The exposure of information

to those not authorised to

access it, potentially resulting

in data theft or other loss.

10%

of attacks originate from within the targeted organisation

4 Source: https://www.raconteur.net/sponsored/beware-the-insider-threat-in-the-war-against-cybercrime

Technologies to Address the Risks

Various technologies are available to help mitigate the cyber security risks posed by individuals within

and outside your organisation. In this section we present a short summary of some of these

technologies, arranged by user type. It is important to note that technology is only part of the story

– user education and mentoring, and rigorous policies and procedures are also essential.

New

use

rs

IT A

dmin

istra

tors

Senior M

anag

ement

Deve

lopers

Benign T

hird P

artie

s

Mal

icio

us Third

Par

ties

Mal

icio

us In

siders

Technologies

Web and Email Security

Data Loss Prevention

Anti-malware

Role-based Education

Privileged Account Management

Least Privilege

Secure DevOps

Strong Authentication

Data Encryption

Network Monitoring and Visibility

Penetration Testing

The Way ForwardIn this section we outline how to

identify the cyber security issues

presented by individuals within and beyond your organisation, and look at the

benefits of regular, comprehensive assessments of all aspects of your cyber security.

organisation, it is essential to identify and mitigate the risks

presented by the seven types of user we have looked at.

Technology has a key role to play, but with accidents,

errors and malicious activity responsible for such a

significant proportion of breaches, building a strong

security culture is critically important.

Educating users from the moment they join the

organisation, building and enforcing strong security

policies and procedures, and frequently reinforcing good

security practices are all essential. With the threat

to their knowledge and understanding of security risks and

how to address them.

Ongoing focus on, and training in security matters, working

hand in hand with robust procedures and policies, will

encourage the development of a strong security culture,

which will support the various technology solutions in use

across your estate.

Assessing Your Cyber Security

Thoroughly assessing your organisation’s security posture and processes is essential. Such assessments

should identify where improvements are necessary and how they should best be made, across all of your

networks, systems, services, applications and data, on-premise and in the cloud, looking not only at

technology but also at the human factors we have explored in this guide.

With technology and cyber crime both developing rapidly, risks are dynamic and the threat landscape is

constantly changing, so it is essential to undertake security assessments regularly.

Gaining a comprehensive understanding not only of systems, platforms and networks, but also of users

and data, and the often complex interactions between these various elements, is key to building a full

picture of your organisation’s cyber security stance. Your assessment will typically reveal opportunities for

improvements in several of the common cyber security issue areas listed in the panel below.

Unprotected

privileged accounts

Users with weak

passwords

Unstructured

patching and vulnerability

management

Weak data

protection

Weak governance

and monitoring

Poor user

education

8 Common Cyber Security Issues

An effective cyber security assessment will include three principal phases:

Review any existing

cyber security

strategy to identify

weak areas and gaps

Assess the existing

environment, using tools to

interrogate the network,

revealing activity, events

and security weaknesses

Test the environment

and individuals using

penetration testing and

social engineering

techniques

No cyber

security strategy

An Independent Cyber Security Benchmark

MTI’s Cyber Security Maturity Assessment (CSMA) objectively benchmarks the

organisation’s cyber security stance and its effectiveness, and provides

prioritised remediation guidance. The CSMA reports on key security factors

using an intuitive ‘traffic light’ system, supported by Executive and Technical

summaries outlining recommended remediation priorities.

MTI has built the CSMA using key elements from relevant industry

frameworks, including the National Cyber Security Centre’s 10 Steps to Cyber

Security, and several ISO standards, leveraged by our 20+ years of

experience in IT modernisation and security.

The CSMA provides an independent cyber security benchmark, remediation

guidance and consolidated analysis of your organisation’s cyber security

stance. Its output provides an excellent basis for selecting remediation

services to address any security gaps and weaknesses it may identify.

Excessive focus

on technology

1 2 3

Your Assessment

To book your CSMA, or find out more about how this assessment

can help your organisation, speak to one of our advisors on

+44 1483 520 200, email us at ukinfo@mti.com

Next Steps

In this guide we have explored the often

overlooked human factor in enterprise cyber

security, looked at seven key individual types

and the risks they typically present, and outlined

ways in which such risks may be reliably

identified and addressed.

In a fast moving, constantly changing threat

landscape awash with dynamic risks, it is

essential to secure and maintain a detailed,

contextually aware understanding of your users

and the data they access, as the technology

aspects of your IT infrastructure. Only with such

an understanding can a solid, comprehensive

cyber security strategy be built.

W mti.com E ukinfo@mti.com T +44 (0) 1483 520 200

Read more here