A big promise with a big appeal. You hear that a lot in the world of cybersecurity, where you’re often promised a fast, simple fix that will take care of all your cybersecurity needs, solving your security challenges in one go.
It could be an AI-based tool, a new superior management tool, or something else – and it would probably be quite effective at what it promises to do.
But is it a silver bullet for all your cybersecurity problems? No. There’s no easy, technology-driven fix for what is really cybersecurity’s biggest challenge: the actions of human beings.
It doesn’t matter how state-of-the-art your best defenses are. Perimeter firewalls, multi-tiered logins, multi-factor authentication, AI tools – all of these are easily rendered ineffective when Bob from a nondescript department clicks on a phishing link in an email.
This isn’t news to anyone
We’ve all heard this before. The fact that humans are a key flaw in cybersecurity strategy is hardly news – or, at least, it shouldn’t be news. But just ask Uber or Rockstar Games whether they thought that their systems were safe from social engineering.
Both companies were very recently breached because a hacker tricked an employee into doing something so against every security best practice that you wonder if the person who got tricked has ever heard any news about IT security.
You might even wonder whether that employee had any cybersecurity training whatsoever.
In both cases, the successful attack didn’t involve a very sophisticated attacker using state-of-the-art tools while exploiting as-of-yet undisclosed vulnerabilities.
All it took was a simple social engineering message – something like, “Hey Bob, I’m from the IT team, and we need to check something on your PC, so I’m sending you a tool for you to run. Just click the link below.”
Yet we’re not learning
Social engineering was a driver for hacking over 20 years ago and, apparently, we still haven’t moved away from it.
Adding insult to injury, successful social engineering isn’t restricted to non-technical organizations.
It’s very plausible that an unsavvy user in a backwater government department might fall for social engineering, for example, but much less so someone working at a leading tech firm – and we see that both Uber and Rockstar Games were impacted by social engineering.
At some point, as a cybersecurity practitioner with the responsibility of educating your users and making them aware of the risks that they (and by extension the organization) are exposed to, you’d think that your colleagues would stop falling for what is literally the oldest trick in the hacking playbook.
It’s conceivable that users are not paying attention during training or are simply too busy with other things to remember what someone told them about what they can click on or not.
However, social engineering attacks have so consistently been in the public news – not just cybersecurity news – that the excuse “I didn’t know I shouldn’t click email links” is getting harder and harder to accept.
Forcefully reinforce the message – that’s your only option
There is no magic solution for the cybersecurity implications of human behavior.
Humans will make mistakes and, as in every avenue in life where humans repeatedly make mistakes, reinforcing education is really your only option.
If tech-savvy companies like Uber and Rockstar Games can get it wrong, then it can happen to anyone else too. The only option you have is to impress cybersecurity best practices on every employee through rigorous educational programs.
And it’s not just users that need educating – you should reinforce these practices in your security team too, by covering patching, permissions, and overall security positioning.
There will always be a risk that a user having a bad day clicks on a link promising that someone in a remote part of the world is trying to give them millions of dollars if they only visit that website.
But, as with every approach to cybersecurity, the focus should be on minimizing and mitigating that risk. Constantly reinforcing and educating is your best defense.
Note: This article is written and sponsored by TuxCare, the industry leader in enterprise-grade Linux automation. TuxCare offers unrivaled levels of efficiency for developers, IT security managers, and Linux server administrators seeking to affordably enhance and simplify their cybersecurity operations. TuxCare’s Linux kernel live security patching and standard and enhanced support services assist in securing and supporting over one million production workloads.