Top 10 Tips for Minimizing Human Vulnerability
Managed Service Providers (MSPs) play a unique role in many businesses, acting as trusted advisors and resident experts on the matter for which they were engaged. If their efforts are successful, MSPs can find themselves serving a broader group of clients.
Due to both that role and the scope of an MSP’s access, MSPs are prime targets for cyberattacks. For a threat actor, an MSP provides an opportunity to leverage economies of scale. Instead of attacking many disparate targets, the threat actor need only attack one target and leverage that target’s position with their clients.
MSPs need to be constantly vigilant and implement security safeguards that will effectively mitigate threats. One critical set of safeguards is managing human vulnerability. In this article, we’ll cover the top 10 tips for minimizing that class of vulnerabilities.
What is Human Vulnerability?
Human vulnerability represents compromising staff and their informational assets to effect an attack. Typically, that’s done through social engineering, which represents a set of confidence schemes that take advantage of psychological proclivities to gain access to information.
Looking at social engineering attack modalities, including phishing, vishing, business email compromise, pretexting, and others, a clear pattern emerges. Threat actors use familiar-looking scenarios and attach a sense of urgency to them. Staff are asked to make a snap decision and, without proper tools to discern social engineering attacks, may make the wrong decision. That means infection with malware or disclosure of critically sensitive information.
When provided with the tools to identify and thwart social engineering attacks, people can provide excellent defenses against those forms of attack. Humans are detail-oriented and outstanding at spotting patterns. In fact, they’re way more effective than computer algorithms when tasked with doing so.
Top 10 Tips for Minimizing Human Vulnerabilities
Critical to any human vulnerability mitigation program is the need to drive human strengths and minimize human vulnerabilities. Here are ten ways you can do that. This list isn’t exhaustive by any means, and there’s certainly more that can be done to minimize and manage human vulnerabilities. What you ultimately choose to do will depend on organizational commitment and resources.
1. Give People the Tools They Need
You can’t expect people to avoid social engineering attacks if they aren’t equipped to do so. People need the ability to spot and successfully identify a social engineering attack when it happens. The best way to do that is by providing engaging and memorable training that reinforces desirable responses to social engineering attacks.
Training should also be timely. It needs to identify current and serious threats, how to spot those, and how to avoid and report them. As attack patterns change over time, so too should the training materials to reflect those changes.
2. Empower Staff to Respond
Staff empowerment is an often-ignored component of addressing the human element of vulnerability. Like any other detection and remediation platform, staff can identify false positives. If staff do so, it’s important to educate and not penalize staff for those mistakes.
Social engineering attacks are unique because they typically come through public-facing communication sources. As a result, customer service may be implicated and impacted as a result of false positives. Taking punitive measures against employees who, say, reject an attempt to get credentials or access will undermine the safeguards and tools that training provides.
3. Provide Clear Escalation Pathways
Staff needs to understand how to escalate potential social engineering attacks or questionable infrastructure behavior. Obfuscating how to do that or making the process challenging to operate will disincentivize reporting of issues and could contribute to the scope and severity of a cyberattack.
One example of this is a secure email gateway that allows staff phishing reporting. The button to report phishing should be very obviously posted and easy to access. Staff should also be provided with education on how to report a phishing email and what happens after doing so.
4. Implement Defense-In-Depth Security Infrastructure
Human security will fail. That could be because of a very sophisticated attack or because someone’s having a bad day and misses an attack. Whatever the cause, no security solution is foolproof, and all are susceptible to letting threat actors and malware into the environment.
Building defense-in-depth is critical to all aspects of security infrastructure, including human security. Critical infrastructure should have checks put in place that secures the environment from improper change. Monitoring should be robust and identify when something doesn’t align with pre-established baselines.
It’s also critical to protect infrastructure and data. That protection may include some detection and response infrastructure, data loss prevention tools, and other information security infrastructure. Organizations may also want to pursue encryption of data in transit and at rest. While some users can get access to that information, it minimizes the exposure of data across the organization if coupled with appropriate access management.
5. Enforce Role, Attribute, or Relationship-Based Access Control
Having some kind of access control framework is critical to safeguarding assets and preventing data exfiltration. Following best practices of least-privileged and minimum necessary access also helps minimize the blast radius of any attack and data exfiltration event.
Access control can be used effectively to supplement human controls by limiting access and removing agencies to access sensitive information. By limiting access to sensitive information, even if a staff member’s account is compromised, the extent of access may be limited. Put differently: threat actors will have to work to find an account that will provide them with the access they need. By increasing the attack duration in that way, it becomes more likely that a threat actor can be spotted and expelled.
6. Use Strong Passwords or Passphrases
Password spray attacks are a successful tool because 1) people use simple passwords that are easy to remember, and 2) they cycle passwords on a theme. So if someone’s password has otherwise been disclosed for another account, their corporate password may be easily guessed.
Current security recommendations include implementing long security passphrases. Passphrases are more difficult to guess because of the high character volume. Passphrases are also easy for people to remember.
If your organization is unwilling or unable to implement passphrases, then enforcement of complex passwords is a must. It’s also helpful to compare those passwords with lists of breached passwords and prevent the reuse of breached passwords.
7. Engage in Outreach
The security office can be seen as the office of “no.” It can be seen as a force of resistance instead of enablement. Outreach is critical to provide a human face to the security office and also reinforce the security office’s mission. It gives the security office the opportunity to outline the criticality of security safeguards and provide a rationale for organizational and operational decisions.
That outreach also creates escalation pathways. If a staff member knows someone in the security office, they’ll be more inclined to escalate issues to them. While that may not align with formal incident reporting, it provides an informal early-warning mechanism that can be valuable in alerting to developing issues.
8. Incentivize Good Behavior
There are many ways to incentivize good behavior. Some of those mechanisms include an honor roll for good performance, prizes for good awareness performance, bug bounties, and other similar programs. Rewarding staff for good behavior not only reinforces that behavior but promotes it.
It’s also helpful to communicate those kudos as broadly as possible. The more staff that see reward and praise for security-conscious behavior, the more that behavior will permeate your organization. That quickly becomes a self-reinforcing cycle that promotes other security-conscious decision-making and behavior.
9. Update Policies Regularly
Administrative security controls are critical to managing information security. Staff should be aware of policies, and those policies should be updated regularly to account for current threats.
Policy updates and communication may seem insignificant, but they are. Having a formal document outlining the organizational rules of the road provides a sense of importance to managing security. That formality is critical to communicate to staff the significance of the organizational security mission.
It’s also critical to explain what the policies prohibit or don’t facilitate. Where policies provide rules for behavior, they should also clearly outline what behavior is unacceptable or unwanted.
10. Audit Regularly
Finally, regular audits help ensure that people are following the rules and allow for course correction where that isn’t happening. By regularly reviewing performance and compliance with organizational processes and standards, staff will understand the criticality of doing so.
Audits also provide the opportunity for improvement. Where there are gaps or lapses in performance, that may not be because the staff isn’t implementing processes and standards but because there is no process or standard for a specific function. Evaluating and improving on gaps is critical for the successful operation of any program. It’s especially critical for human security, where gaps can compromise organizational cybersecurity and create significant risks of harm.
There’s no silver bullet to tackle human security. Addressing human vulnerabilities is a laborious task and requires solid investment, both financially and temporally. That being said, a successful human security program can significantly reduce organizational risk posture.
How you implement a security program will depend on your goals and objectives. So long as you implement a program that is engaging, memorable, and approachable, which facilitates instead of hinders organizational security, it will be successful.