Jari Tenhunen, R&D Director, Tosibox Oy
Every self-respecting company says they’re educating their employees to identify the most essential enterprise data security risks. We have heard countless warnings not to click on strange links or use weak passwords. Yet many still use even the same password for several services. It goes without saying that the disclosure of passwords opens considerable opportunities to all kinds of malice.
Last year the French market research company Ipsos estimated that up to 72 percent of data thefts and hackings in companies are due to employees dealing carelessly with email attachments and links. An email can appear important, official, interesting, reliable, or it can be marked urgent. It can arrive just as the employee has lost focus.
The larger the company, the greater the risks. Each employee, unit and department can mean a larger attack surface to the attacker. However, at the same time it is wrong to blame a single employee, as the responsibility is common for the company and all men are fallible.
The cyber security market is growing steeply. Last year the global worth of the industry was approximately $137 billion, and in four years it is estimated to be $230 billion.
One of man’s basic characteristics is to trust others, should there be no apparent reason not to. Friendliness and politeness fall within the proper culture of working life. If you’re asked to, you usually offer to help, if you feel safe. Someone may, for instance, walk in through a company lobby typically disguised as a representative of a contract partner that has forgotten his pass card home or has some other logic explanation for its absence. Once that person is inside the company facilities, he can easily install a keylogger software from a USB stick and steal all keyboard prints. Or he can read all usernames and passwords from a wall where they’ve been stuck to make them easier to remember.
If you’re up against a state actor or a team of professional thieves utilizing methods straight from the hit movie Ocean’s eleven, even a skilled cyber security expert may be in trouble. Any other employee of a company is even more likely to be in trouble – whether they’re the CEO, a production line specialist or a financial management expert.
The basic problem with taking cover is that the attacker only needs to succeed once, but the defender’s job is continuous. The attacker’s job is just to find out what the defender has forgotten. For this reason, humans are still the weakest link in cyber security.
Humans also build the systems for technical cyber security, which is why even they contain the human factor. For instance, using open libraries in applications is easy and cost efficient, but vulnerabilities occur all the time in them. It’s the user’s responsibility to update the libraries and the applications utilizing them with updated versions. If a vulnerable version is not updated, combined with some other information it can offer the attacker access to company data.
Human activity is far more difficult to anticipate than that of a human-programmed machine. There will always be employees and executives who fall for a hoax, because rush, curiosity, fatigue, shyness, pride, fear and countless other human qualities will not disappear.
In addition, the configuration of systems is an art of its own, and manual, human-made system configuration work is prone to errors. The more you need to configure, the greater the likelihood of human errors increases. It would also be unreasonable to expect that every organization could know everything. Therefore, it is advisable to resort to professional solutions, which are not only simple enough to set up, but also safe and reliable.
Tosibox is an expert in IoT security, and our solution eliminates the chance of human error. We have put a lot of effort into our R&D and making the products easy to use. With fewer things for users to remember and worry about, TOSIBOX® products are practically impossible to misconfigure. Also, software updates are made automatically.
You can prevent costly security breaches and your employees getting hoaxed. Here are a few simple tips.
Understanding cyber security is a part of civics. Follow the development and news about the cyber security industry. Show interest and ask questions. Don’t wait for others to secure you, but treat security as a smile: the one who gives, gets. Together we do more.
Train your employees.
Even if all employees in your organization would have completed a compulsory cyber security online course, they will hardly remember anything about it two years later. The water you carry does not stay in the well, and new threats occur on a regular basis. Even the attackers are constantly evolving and developing new things. That is why learning must be continuous in an organization.
Invest in resilience.
It is almost certain that all companies will sooner or later become subject to a security breach. Some of them may be more destructive than others, but instead of repressive thinking the emphasis has moved on to the organization’s ability to recover from them. This is called resilience. The coping ability can be promoted, for instance, by regular training. This way all parts of the organization will be better able to act when the actual situation occurs.
“Human activity is far more difficult to anticipate than that of a human-programmed machine.”
Jari Tenhunen, R&D Director, Tosibox Oy