By Richard Werner, Business Consultant
Classic cyber attacks often start with an email. A user opens it and unsuspectingly clicks on the link it contains and … the lights go out in the company. It’s no wonder that many people tend to think that the cause of the problem lies with the user in question – more precisely, more than half of the respondents to two webinars held in July 2021 in German and English (for Europe) with a total of more than 1,000 participants. In each case, the question was asked which of the following problems was the “biggest” in the company’s own IT security: that “employees make mistakes that lead to infections”, “lack of budget”, “faulty security tools” or “overload of the IT security department”. Of course, in companies actually affected by cyberattacks, several of these factors apply. But the biggest bellyaches were caused by “uninformed” employees, each accounting for more than 50%. There is no question that many problems in IT security are related to the human factor, but a one-sided focus on the careless employee can lead to wrong conclusions and serious consequences.
Employee as a weak point
This thesis is based on an employee who clicks on a link or opens an attachment that can actually be seen to be suspicious, and so unwittingly helps to prepare an attack. Actually, the “careless employee” is a rather minor problem in relation to other “human vulnerabilities”, but it is one of the few levers where relevant improvements can be made without much effort for all concerned. Therefore, employees should definitely be informed about the latest tricks. They should also be given a way to have suspicious mails checked – and thank them every time an employee has recognised an attack mail, because this helps to stop attacks.
Incidentally, employees are only able to identify such an attack because cybercriminals are still successful enough in achieving their purposes with generically generated mails. Their next trick has long been in the construction kit. For example, Emotet already used replies to previously sent mails. And even that is not the end of what is technically possible. But cybercriminals shy away from unnecessary effort. This means, however, that any training only serves to make the attacker’s job more difficult. It will not solve the problem.
Weak point IT specialist/security
If an employee receives an email, it has already passed through several technical levels. Sandbox procedures, artificial intelligence and other technologies have been developed to detect attacks directly. If they don’t, there are other security solutions at the system level and in the network that should also detect suspicious activity. These are professional tools that are created with all the experience and implemented precisely for this purpose, to enable people to work safely in the end. If all these technical tools cannot prevent or at least identify the attack, the question arises anyway why a “normal” user can be held responsible for anything. Technical tools, as well as a team to maintain and sharpen them, are acquired and paid for in order to relieve employees of the decision whether something is good or not!
But this is precisely where a frequently overlooked problem lies: IT security technology is constantly changing. Just as attackers sharpen their weapons, so do defenders. This results in constant updates, functional or strategic changes. In addition, companies are building more and more complex IT environments and processing more and more data. In parallel, a functioning IT becomes more and more critical for the operational capabilities of a company.
IT security staff, if they can focus on IT security at all, are overwhelmed by the multitude of systems and different configuration options. If a company also decides to buy security solutions tactically, the workload is multiplied. (Tactical purchasing is the behaviour of not looking to purchase new security until a problem has arisen or can no longer be ignored). Among other things, this approach ensures that systems do not act in a coordinated manner, but only perform selective tasks. This results in knowledge gaps and errors due to overload. It is also not uncommon for the overload to lead to frustration on the job.
Vulnerability of IT software development
Similar challenges can be found in software development. Triggered by the increased app demand from consumers, more and more software components are being developed or assembled. In DevOps processes, development is practically an endless loop, and the people who work here naturally know their way around IT. And yet it is precisely these experts who often make the most ridiculous mistakes … from a security point of view. For example, the “whole world” is given access to the customer database because permissions were forgotten to be defined. Or one has programmed login data during development but forgotten to change the simple workaround again, and therefore access to the customers’ credit cards is only secured with the username and password “admin”. All these mistakes happen, and if the company is important enough, it even gets headlines when an incident occurs. Here, too, the cause is mainly stress. Because pressure is put on software development. The new feature should come today and not tomorrow. After all, improvements can be made as needed. One or two problems are often overlooked or deliberately ignored. In addition, very few software developers develop security solutions. Security is an unloved gimmick that is often forced upon people.
Vulnerability CISO – C-Level
Of course, company management recognises the great importance of IT security. However, it is often seen as a necessary evil and rarely as an integral part of the value chain. It should cost as little as possible and preferably be hardly noticeable. In fact, most companies have been able to implement this tactic very successfully in recent years despite relatively low expenditure. True to the motto “never change a running system”, the decades-old concepts are not questioned but consistently pursued.
However, the security world has also changed. Both the quantity and the quality of cyber attacks have been steadily increasing for years. In 2021 alone, there were huge upsets with “Sunburst”, “Hafnium” and “Kaseya”, not to mention individual incidents with a worldwide echo such as the “Colonia Pipeline” or the “JBS Hack“. The economic boom in the cyber underground is not a coincidence that will disappear again, but a structural change. Thus, the introduction of cryptocurrencies as well as political animosities created a world-historical novelty with an uncontrolled, perhaps even uncontrollable global market for criminal activity. The uniqueness of this situation is something that is now being discussed even at the highest political levels.
This is reflected, for example, in Ponemons/Trend Micro’s Cyber Risk Index survey. Remarkably, there is a significant drop in confidence that even the C-level takes the threat situation seriously, although virtually all respondents assume an increased risk situation. This is related to an all-too-human weakness or talent that is not all that widespread, especially among IT security personnel. It is about the talent to correctly “sell” the necessity of measures to superiors. Because especially in companies where the previous IT security successfully warded off everything, there is rarely additional budget for more staff or more modern solutions. Here, it is important to proceed diplomatically, because the previously impeccable work cannot be criticised. And yet… the situation changes due to external factors (as described above), which are often difficult for IT security specialists to argue with, as they exist apart from their own expertise. CISOs in particular therefore find it difficult to credibly articulate the change in the threat situation in order to also achieve budget, technology and personnel improvements. With the IT Security Act (2), the German government once again emphasises the importance of IT and IT security for critical infrastructures in order to provide further support in terms of argumentation. Because even if it sounds cynical… often something only happens when the expected penalties are noticeable (unfortunately).
Vulnerability IT security – SOC specialist
Many of the companies covered by the IT Security Act, but also more and more medium-sized companies, are therefore deciding to create a Security Operation Centre. The highly specialised employees working here are supposed to analyse security incidents and, if possible, remedy them immediately. What in theory effectively combats the problem of cyberattacks often becomes a challenge in practice. The problems of the shortage of skilled workers and the historically grown zoo of purchased individual solutions also lead to an enormous increase in the workload of SOC employees here. For example, in a Trend Micro survey of over 2000 respondents worldwide, 70% said that job stress was having an impact on their personal lives. On the job, the overload leads to, among other things, deliberately ignoring alarms (40% admitted this) to work on something else and 43% each leaving their jobs overwhelmed or simply turning off the alarm. In addition, their work is rarely appreciated when “nothing happens”. High fluctuation, especially in the SME sector, is the result and further exacerbates the staffing problem.
Human weaknesses are indeed the problem in IT security. But it is not the “normal employees” who cause the greatest concern. A lack of recognition coupled with a steadily increasing workload and the pressure to be as fast and efficient as possible are causing increasing frustration and susceptibility to errors, especially among IT and especially IT security professionals.
The patch problem, which has existed for more than 20 years, has multiplied in recent years due to a veritable software explosion, leading to a situation where IT security teams hardly have an overview of what is actually being deployed, let alone what the security status of many systems is.
On the other hand, companies lose the ability to react quickly to incidents and have hardly any staff that can cope with dealing with real emergencies. On the other hand, a veritable underground economy is emerging, which has above all spurred the specialisation of its protagonists. In this climate, an urgent rethink is needed. Old-fashioned IT security strategies must be reconsidered. Modern techniques must be implemented and optimised in the administrative area. The more automatisms exist to relieve employees, the better they can focus on serious problems. Together with its specialised trade partners, Trend Micro offers solutions and processes to support this.
People are people and that remains the case. What changes are the framework conditions and these have just changed massively. And here’s another law of nature: whoever can best adapt to new environmental conditions survives. So here are a few tips:
- Shorten IT security upgrade cycles. You need to be able to implement modern technology more quickly. With “Software as a Service” offers, various providers offer the possibility to carry out these cycles themselves. When choosing a partner, also pay attention to how well a manufacturer can basically build new technologies. Delivering “cutting edge” technology once is not enough. It is also much more important to have the staying power to keep up with new developments.
- Analyse the manageability of your defence. A cybercriminal is not intimidated by the complexity of security. Much more important is the question of whether you are able to keep track of unusual events in the network. Often, SOC and IT security staff are overworked and hardly ever get to do their regular work. It is difficult to react correctly in an emergency.
- According to the BSI, security is not a goal that is achieved, but a process that needs to be adapted. In the past, new functionality was sought periodically when a licence expired. Today, that is no longer enough. As cyber criminals work on attacks against companies, companies also need to stay on the cutting edge of technology to defend themselves. If their own employees are not able to do this, managed service projects can assist in all aspects.
- External protection is not enough. Attackers can get through any defence. What matters is how quickly you are able to locate them and then fix the problem. This is where so-called XDR strategies are the latest option. Our XDR strategy is called Trend Micro Vision One.
- Consider a Zero Trust strategy. First and foremost, you should assume that your company’s technology has been compromised. Because even though you may be able to convince a person to do something bad, this is usually much harder than stealing passwords and fooling technology. This is also the subject of an XDR strategy.