From the Sony hack to the Anthem breach, doesn’t it seem like there were a lot of security breakdowns in the news over the past year? That’s not just an anecdotal observation. In 2014, criminals created 317 million new pieces of malicious software and targeted five out of six large companies for email attacks, an increase of 40 percent over 2013, according to a report published yesterday by Symantec, a security-software company.
Part of the problem is that hackers are adapting faster than companies’ defense teams, as Symantec reports. But another interesting—and important—aspect is that employees and managers are making many mistakes. Eleven percent of people in companies click on attachments sent to them by hackers, according to another new report, from Verizon’s data-breach researchers. (Folks in companies’ communications, legal, and customer service departments are the most likely to click, Verizon notes.) Plus, hackers continue to enter companies’ systems through software vulnerabilities that security experts had identified and built fixes for long ago. Among data breaches that resulted from known vulnerabilities, 99.9 percent involved vulnerabilities for which patches had been available for over a year, Verizon finds. Companies could have prevented these breaches, if only they had kept downloading software patches when they were supposed to. When it comes to cybersecurity, one of the biggest challenges can be the good guys, not the bad ones.
Among data breaches that resulted from known vulnerabilities, 99.9 percent involved vulnerabilities for which patches had been available for over a year.
Of course, some experts have long studied this. For example, it’s known that strong company password policies may backfire because employees find them annoying, and may try to get around them, which can be even more dangerous. Studies show that training and awareness is associated with employees choosing better passwords and changing them frequently, but it’s also associated with people writing down their passwords, a cybersecurity no-no. Folks might be extra tempted to write down strong passwords because they’re difficult for even their owners to remember. Results like this have prompted a number of papers and essays from security experts, calling for their peers to pay more attention to people and their flaws instead of just focusing on the hottest new technological threat.
Not to worry, however: Humans don’t only represent weakness when it comes to cybersecurity. In certain cases, people and their human tendencies can be strong elements of a cybersecurity plan. Well-trained people are still better at identifying phishing emails than almost any algorithm, as one IT training director told Verizon researchers. There’s still plenty that people do better than their machines.
