Classic cyber attacks often start with an email. A user opens it and innocently clicks on the link inside and... the lights go out in the company. No wonder that many tend to have identified the cause of the problem with the "user" vulnerability. An analysis by Trend Micro.
The realization that users are the problem, said more than half of the respondents of two webinars held in July 2021 in German and English (for Europe) with a total of over 1000 participants. In each case, the question was asked which of the following problems was the "biggest" problem with one's own company IT security: that "employees make mistakes that lead to infections", "insufficient budget", "faulty security tools" or "overloading IT security department ". Of course, several of these factors apply in companies actually affected by cyberattacks. But the greatest abdominal pain was caused by the “inexperienced” employees, each with over 50%. There is no question that many problems in IT security are related to the human factor, but a one-sided focus on the careless employee can lead to wrong conclusions and serious consequences.
Employee vulnerability
This thesis is based on an employee who clicks on a link or opens an attachment that can actually be seen to be suspicious, and thus unwittingly helps to prepare an attack. Actually, the "careless employee" is actually a minor problem in relation to other "weak points", but it is one of the few levers with which one can achieve relevant improvements for everyone involved without great effort. Therefore, employees should definitely be informed about the latest tricks. You should also be given a way to have suspicious emails checked - and thank you every time an employee detects an attack email, because that helps stop attacks.
Incidentally, employees are only able to identify such an attack because cyber criminals are still successful enough to achieve their purposes with generically generated emails. Their next trick has long been in the kit. Emotet already used replies to previously sent mails. And even that is not the end of what is technically possible. But cyber criminals shy away from unnecessary efforts. But that means that each training only serves to make the attacker's work more difficult. It won't fix the problem.
IT specialist / security weak point
If an employee receives an email, they have already gone through several technical levels. Sandbox processes, artificial intelligence and other technologies were developed to detect attacks directly. If they don't, there are further security solutions at the system level and in the network, all of which should also detect suspicious activity. These are professional tools that are created with great experience and implemented precisely for this purpose in order to ultimately enable people to work safely. If all these technical tools cannot prevent or at least identify the attack, the question arises anyway why a “normal” user can be held responsible for something. Technical tools and a team to maintain and sharpen them are purchased and paid to make it easier for employees to decide whether something is good or not!
Tools should remove decisions
But this is exactly where an often overlooked problem lies: IT security technology is constantly changing. Just as the attackers sharpen their weapons, so do the defenders. This results in constant updates, functional or strategic changes. In addition, companies are building ever more complex IT environments and processing more and more data. At the same time, a functioning IT is becoming more and more critical for the operational capabilities of a company.
IT security employees are often overwhelmed
IT security employees, if they can focus on IT security at all, are overwhelmed with the multitude of systems and different configuration options. If a company also decides to tactically buy security solutions, the workload is increased. (Tactical purchasing is the behavior of only trying to buy a new security when a problem has arisen or it can no longer be ignored.) Among other things, this procedure ensures that systems do not act in concert, but only fulfill specific tasks. This creates gaps in knowledge and errors due to excessive demands. The overload often leads to frustration in the job.
Vulnerability in IT software development
Similar challenges can also be found in software development. Triggered by the increased need for apps by consumers, more and more software components are being developed or put together. In DevOps processes, development is practically an endless loop, and the people who work here are of course familiar with IT. And yet it is precisely these experts who make the most ridiculous mistakes ... from a security point of view. The “whole world” is given access to the customer database because the user forgot to define authorizations. Or you have programmed login data as part of the development but forgot to change the simple workaround again, and therefore access to the customer's credit cards is only secured with a username and password “admin”.
All of these mistakes happen, and if the company matters enough, one incident can even make headlines. Again, the main cause is stress. Because pressure is put on in software development. The new feature should come today and not tomorrow. Improvements can be made as required. One or the other problem is often overlooked or deliberately ignored. In addition, very few software developers develop security solutions. Security is an unpopular gimmick that one is often forced to do.
CISO weak point - C-Level
Of course, the company management recognizes the great importance of IT security. However, it is often viewed as a necessary evil and only rarely as an integral part of the value chain. It should cost as little as possible and ideally hardly be felt. In fact, most companies have been very successful in implementing this tactic over the past few years, despite spending relatively little. True to the motto “never change a running system”, the decades-old concepts are not questioned, but consistently pursued.
The quality of cyber attacks has been increasing for years
But the world of security has also changed. Both the quantity and the quality of cyber attacks have been increasing steadily for years. In 2021 alone there were huge upsets with “Sunburst”, “Hafnium” and “Kaseya”, not to mention individual incidents with worldwide echoes such as the “Colonia Pipeline” or the “JBS Hack”. The economic boom in the cyber underground is no longer a vanishing coincidence, but a structural change. The introduction of cryptocurrencies and political animosity created a world historical novelty with an uncontrolled, perhaps even uncontrollable global market for criminal activities. The uniqueness of this situation is something that is now being discussed even at the highest political level.
Cyber Risk Index gives clarity
This is reflected, for example, in Ponemons / Trend Micro's study of the Cyber Risk Index. What is remarkable is a clear decrease in confidence that the C-Level also takes the threat situation seriously, although practically all respondents assume an increased risk situation. This is due to an all too human weakness or talent, which is not particularly widespread among IT security personnel. It is about the talent to properly "sell" the necessity of measures to the supervisor. Because especially in companies where the previous IT security has successfully fended off everything, there is seldom additional budget for more staff or more modern solutions. It is important to proceed diplomatically here, because the work that has so far been impeccable cannot be criticized. And yet ... the situation changes due to the external factors (as described above), which are often difficult to argue for IT security specialists because they exist outside of their own expertise. CISOs in particular find it difficult to credibly articulate the change in the threat situation in order to achieve budget, technology and personnel improvements. With the IT Security Act, the Federal Government is once again underlining the importance of IT and IT security for critical infrastructures in order to provide further support in terms of argumentation. Because even if that sounds cynical ... often something only happens when the expected punishments can be felt (unfortunately).
IT security weak point - SOC specialist
Many of the companies covered by the IT Security Act, but also more and more medium-sized companies, are therefore choosing to set up a Security Operation Center. The highly specialized employees working here are supposed to analyze security incidents and, if possible, resolve them immediately. What effectively combats the problem of cyber attacks in theory often becomes a challenge in practice. The problems of the shortage of skilled workers and the historically grown zoo of the purchased individual solutions also mean that the workload of SOC employees increases enormously. In a Trend Micro survey of over 70 respondents worldwide, 2000% said that work stress had an impact on their private life. In the job, the overload leads, among other things, to the fact that alarms are deliberately ignored (40% admitted this) in order to work on something else and 43% respectively left their workplaces overwhelmed or simply switched off the alarm. In addition, their work is seldom recognized when “nothing happens”. A high fluctuation, especially in medium-sized companies, is the result and further aggravates the personnel problem.
Summary of the analysis
In fact, human weaknesses are the problem in IT security. But it is not the “normal employees” who cause the greatest worries. A lack of recognition with a steadily increasing workload coupled with the pressure to be as fast and efficient as possible lead to increasing frustration and susceptibility to errors, especially among IT and especially IT security specialists.
The patch problem that has existed for more than 20 years has multiplied in recent years due to a veritable software explosion and has resulted in the IT security teams barely having an overview of what is actually being used, let alone how the security status of many systems is.
IT security teams lose track of things
On the other hand, companies lose the ability to react quickly to incidents and hardly have any staff who can cope with real emergency situations. On the other hand, a downright underground economy is emerging, which above all has spurred the specialization of its protagonists. In this climate, an urgent rethink is required. Traditional IT security strategies need to be reconsidered. Modern techniques are implemented and optimized in the administrative area. The more automatisms exist to relieve employees, the better they can focus on serious problems. Together with its specialist retail partners, Trend Micro offers solutions and processes to support this.
People are people and it stays that way. What is changing are the framework conditions and they have just changed massively. And here's another law of nature: Those who can best adapt to new environmental conditions survive.
Some tips for more IT security
Shorten IT security update cycles. You need to be able to implement modern technology faster. With "Software as a Service" offers, various providers offer the possibility to carry out these cycles yourself. When choosing a partner, also pay attention to how well a manufacturer can fundamentally develop new technologies. Delivering “Cutting Edge” technology once is not enough. It is also much more important to have the staying power to keep up with new developments.
Analyze the manageability of your defense. The complexity of security doesn't scare a cybercriminal. Much more important is the question of whether you are able to keep track of unusual events in the network. Often times, SOC and IT security employees are overworked and can hardly do their regular work. It is difficult to react correctly in an emergency.
According to the BSI, security is not a goal that can be achieved, but a process that needs to be adapted. In the past, efforts were made for new functionality periodically when a license expired. That is no longer enough today. As cyber criminals work on attacks on businesses, businesses need to stay up to date with the latest technology to defend themselves. If your own employees are unable to do this, managed service projects can provide support in all matters.
External protection is not enough. Attackers make it through any defense. The key is how quickly you can locate them and then fix the problem. So-called XDR strategies are the newest option here. Our XDR strategy is called Trend Micro Vision One.
Consider a zero trust strategy. Above all, you should assume that your company's technology has been compromised. Because even if it can be possible to convince a person to do something bad, this is usually much more difficult than stealing passwords and deceiving the technology. That is also the subject of an XDR strategy.
About Trend Micro
As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.
Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more
A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more
