“Problem Exists Between Chair And Keyboard.” This adage, which is (all too) often used in IT and cybersecurity, reminds us that one of the main cyber vulnerabilities of a company is the naivety of its employees. But does it really reflect reality? And which employees are most likely to be duped by cybercriminals? Here are some clues to solving the puzzle.
Conventional wisdom has it that cyberattacks target senior employees in the company hierarchy, as they are the ones with access to sensitive and critical information. However, Sébastien Viou, Director of Product Security & Cyber-Evangelist Consultant at Stormshield, points out that “these valuable targets are also the most well-protected, and the most cautious”. That’s why cybercriminals “usually act opportunistically. They attack gaps in the security chain.” Could it be the case that, aside from the obvious profiles of leaders, all employees are in fact potential targets?
Corporate cyberattacks: when the pawn takes the queen
After all, even a target with limited access to the company’s digital resources can become the first step in a cyberattack. Think of the lowly pawn in a game of chess, which nonetheless has the ability to capture the queen. “Most digital attacks spread within the company’s network, Sébastien Viou says. An endpoint with limited access can easily be converted into a Trojan horse to infect other endpoints on the network, allowing cybercriminals to gradually subvert an increasing number of access permissions.” This means that even employees without significant permissions for a company’s information system can present attractive targets for cybercriminals, given the possibility for lateral movements and escalation of privileges.
There are still many companies in which employees have access to critical resources without any obvious good reason. For some people, admin rights on workstations are seen as social achievements.
Sébastien Viou, Product Security Director & Consultant Cyber-Evangelist Stormshield
And that’s assuming companies manage their access policies properly. However, Sébastien Viou notes that “there are still many companies in which employees have access to critical resources without any obvious good reason. For some people, admin rights on workstations are seen as social achievements...” This (different) reality has made indiscriminate phishing the number one attack vector in CESIN’s 2021 barometer: 80% of its members had fallen victim to this practice in 2020. Such cyberattacks are easy to implement, enabling multiple attempts to be made and targeting employees as a whole. Cybercriminals thus rely on raw volume to tilt the statistics in their favour. Sooner or later, the trap will close on someone in the company... and it’s checkmate. Such attacks are not only wide-ranging but also effective, according to Joseph Graceffa, President of Northern France’s Club de la sécurité de l’information en réseau (CLUSIR), who warns that “no one within the targeted organisation is completely safe from negligence”, including the most cautious of individuals...
Sadly, these facts provide us with an answer to the question posed at the start of this paper: in companies, all employees can be (and are) targeted by cyber attacks. So what can you do to avoid being caught in the net?
A shift from employee awareness to employee empowerment
Although it is difficult to offer a general analysis of vulnerability profiles based on the roles that employees occupy within companies, it does seem necessary to identify the most vulnerable.
Testing enables us to identify people who systematically fall into the trap, and thus constitute the weakest human links in the security chain.
Joseph Graceffa, President of the Northern France Club de la sécurité de l’information en réseau (CLUSIR)
Joseph Graceffa proposes the example of phishing: “Nowadays, we have very easy and inexpensive solutions for automating tests”. With such tools, companies can schedule fully standalone campaigns that send fake phishing emails to their employees. “Testing enables us to identify people who systematically fall into the trap, and thus constitute the weakest human links in the security chain.” The company can therefore adopt measures aimed at these higher-risk employees, “starting by ensuring they are aware of the potential consequences of their behaviour, and training them in basic cybersecurity concepts.” Indeed, in order to improve their employees’ familiarity with the rules of digital hygiene, many companies are conducting cybersecurity awareness and training campaigns. They are strongly encouraged in this respect by public bodies such as France’s ANSSI digital security agency, which offers a practical guide for companies, the first chapter of which is entitled Raising awareness and training. At European level, the European Union Agency for Cybersecurity (ENISA) directly incorporates this concept of public awareness into its mission. To achieve this, the institution’s aim is to help “Member States in their awareness-raising efforts”, to promote “coordination between Member States”, and to provide “codes of best practice to be adopted in terms of computer hygiene and digital skills.” This strategy is also one that is advocated by France. Following the increase in cyberattacks observed during the health crisis, Guillaume Poupard, Director General of the ANSSI, emphasised before the French Senate the importance of a focus on training, certification and the continuous search for sector-based digital hygiene rules: “Compliance with digital hygiene rules is where it all starts; otherwise, it’s like trying to perform high-precision surgery with dirty hands.”
Compliance with computer hygiene rules is where it all starts; otherwise, it’s like trying to perform high-precision surgery with dirty hands
Guillaume Poupard, Director General of ANSSI
However, although he does not question the importance of raising employee awareness as a corporate response to cyber risks, Sébastien Viou considers it “a completely insufficient means of ensuring that the fundamental rules of digital hygiene are applied.” Has the battle for cyber awareness already been lost? There is a strong temptation to answer “yes”, based on social media posts showing photos of work PCs that individuals have left accessible and unattended in public places. Sébastien Viou believes this shows that it is high time to move up a gear and supplement employee awareness with a form of empowerment. “Awareness training is not a waste of time; today, the majority of employees are aware of cyber risks, and this is a positive thing. However, despite this, they still fail to adhere to the safety rules because they wrongly believe that the risk does not apply to them.” This accountability could take the form of specifying compliance with the safety standards and rules set by the company in the employee’s basic job description. “This would then ensure the risk was shared, since in the event of a serious and proven breach, the company could impose severe sanctions.” This opinion is shared by Joseph Graceffa, who also points out that this kind of employee empowerment is already a reality, particularly in large English-speaking companies. “They generally supplement their internal regulations with IT charters and then implement a sliding scale of sanctions”, enabling them to impose sanctions that are commensurate with the seriousness of their employees’ failures.
Ensuring better access to cybersecurity
However, such empowerment needs to be accompanied by greater employee access to cybersecurity tools and information. “Since they are being asked to be responsible, it is obvious that we must also be able to help them understand the threats and what is happening around them,” Joseph Graceffa says. However, “corporate cybersecurity solutions have traditionally been the responsibility of CISO teams. And to date, little effort has been made to ensure they are simpler to use by non-specialists.” More accessible and “UX-friendly” cybersecurity solutions could thus facilitate adoption and increased competence on the part of the company’s employees.
From the point of view of internal structure, the Human Resources Department should have a stronger role to play in cybersecurity issues. At least, that’s the finding of a dedicated study by the RHO Chair of the University of Fribourg and CISEL Informatique SA. Given its traditional responsibilities, the company’s HR department would seem to be in the best position to ensure the organisation’s overall cybersecurity qualification: from the recruitment phase onwards, it is able to include requirements relating to cybersecurity culture on the basis of individual job role. Furthermore, as the HRD is responsible for training programmes for employees, it is the most appropriate body to ensure that their knowledge of cybersecurity is constantly up to date (using methods that are as educational as possible, such as testing). To this end, the creation of an improved structure for dialogue between the HR Department and the CISO can ensure that training programmes are in line with the reality on the ground. Finally, the HR Department (in conjunction with the legal department) is best placed to ensure that employees who violate the security rules in force within the organisation are held accountable and sanctioned. To this end, it must participate in writing and updating such rules, while ensuring that they are regularly brought to the attention of employees.
In an ideal world, all employees of a company would be responsible and qualified in terms of cybersecurity. If this were the case, could the company then trust them completely? Sébastien Viou believes that “trust does not preclude supervision. It could trust in their good faith, but not their infallibility. Even assuming they all followed the rules of digital hygiene, there would still be no such thing as zero risk. Even the most cautious person – yes, sometimes even a cybersecurity expert – can be fooled.” This analysis is confirmed by the rise of cloud computing or working practices that include teleworking or BYOD. As a result, companies can no longer assume that whatever lies within their IT perimeter is absolutely trustworthy. And more and more of them are adopting the concept of Zero Trust. According to a study reported by IT SOCIAL 90% of responding companies are seriously considering this holistic approach, which is intended to redefine concept of the perimeter by not trusting anyone – either inside or outside the organisation’s network – by default. However, Joseph Graceffa sees Zero Trust as “just another marketing term, plain and simple”. The President of CLUSIR Northern France reminds us that although the term is increasingly widely used, it is just a glorified “update of the Network Access Control [NAC] procedures that are now applied to all IT resources (applications, computer workstations, etc.). And CISOs and cybersecurity specialists have been familiar with these for over 20 years.” In any case, the widespread implementation of a Zero-Trust approach is a transformation that could be extremely time-consuming, especially for companies with legacy and siloed IT assets. The process of implementing such an approach would therefore seem to be a gradual one.
Cybersecurity is therefore not just an issue of resources. As cyberattacks rise, there is no longer any doubt that humans are the main risk vector. It is therefore vitally important for the company to train its employees, raise their awareness... and lastly, give them responsibility. After all, not only is the company responsible for them, but they are also responsible for it.