People are cybersecurity's weakest link
Human error accounts for more than half of today's data breaches, yet everybody seems to neglect thatValentina Spiridonova
Six months, 945 data breaches, 4.5 billion records exposed - that is how the beginning of 2018 looked like. Compared to the same period in 2017, these numbers represent a staggering increase of 133%, data from Gemalto's Breach Level Index shows. Things didn't go well in the second half of the year or in the beginning of 2019 either, with breaches and cyberattacks continuing to escalate, reaching an all-time high in database leaks.
In November for instance, 100 million personal names, email addresses, encrypted passwords and other data from user accounts linked to the website Quora were hacked. A month later, Marriott International also publicly disclosed that passports, credit cards and locations of more than 500 million of its customers were leaked. And in January alone, the world witnessed how the problem is further exacerbating with two main examples. Firstly, ElasticSearch database misconfiguration exposed 51GB of highly sensitive financial data, such as Social Security numbers, names, phones, addresses, credit history and other details, and the largest public data breach in history became a reality. Then, the so-called “Collection #1” exposed 87GB of data, or 772,904,991 unique emails and 21,222,975 passwords, and put them on sale. Its disclosure was appalling not only because of its scale, but also because for the very first time it was made up of individual data breaches from more than 2,000 databases, instead of representing a single, easily identifiable service.
Good news is that none of the aforementioned attacks managed to surpass Amazon's high-profile data leak during 2013 when three billion accounts were exposed. But considering the fact that data breaches are currently a terrifying top trend in the cybercrime world, with no sign of stopping, things might change very soon.
So how is Europe trying to prevent those events whereby an individual's personal information, such as their name, Social Security number, financial or medical record, banking credentials, or credit card, is put at risk or stolen? Currently the European Union is highly dedicated to strengthening its cybersecurity rules in order to eliminate the ever increasing threat. Recently the European Parliament and the Council of the European Union even reached an agreement on a new cybersecurity law (Network and Information Security Directive) which will on one hand strengthen the European Cybersecurity Agency, ENISA, and on the other will create a European cybersecurity certification framework for the first time. Meanwhile, with a €9bn budget, the EP has also voted to allocate €700m to the development of advanced digital skills, resulting in closing the skills gap. Yet, these measures are still mostly theoretical and do not offer a solution to the most essential problem regarding cybersecurity - the so-called 'security fatigue' across governments, organisations and individuals, which accounts for 52% of the root causes of security breaches globally. Defined as a weariness or reluctance to deal with computer security, the 'condition' affects more than half of the European citizens, or 51% of them, as well as 69% of the European companies, according to a recent EC survey, proving that cybersecurity policies should better focus on helping ordinary people know their basic data security measures.
“Breaches are mainly caused by a human error due to lack of security fundamentals. Most companies as well as individuals secure their records with weak passwords (such as 12345678), refuse to update their systems (simply because they are already used to the older version), or have insufficient security awareness regarding the susceptibility to social-engineering kinds of attacks, such as phishing and spear phishing,” an anonymous cybersecurity source reveals to EUROPOST, continuing that this eventually leads to people disregarding the sources of emails, opening malicious or infected files, or lacking antivirus systems, which as a result turns them into cybersecurity's weakest possible link.
According to him, that negligence towards information security comes from the fact that a huge number of companies, not only in Europe but also worldwide, view breaches, internal actors manipulating data, and other incidents, as something that could never happen to them - much like a terrorist attack. Until it happens. And it's already too late. Governments take the same stand and that turns into an example for the citizens, as well. In a similar manner, business and political leaders also underestimate the economic consequences of a possible cyberattack and find the fostering of a more educated cybersecurity workforce as a supernumerary expense, and not a long-term investment, despite the fact that the negative effects of a data breach could result in reputational loss, undue damage to equipment and technical infrastructure, etc., and could nowadays reach up to tens of millions of euros.
“Very often breaches happen precisely due to the lack of enough attention or knowledge by companies when treating the security of their information systems, or due to the insufficient amount of security policies they are developing,” the source also adds.
This means one thing only - if organisations and employees continue reinforcing the possibility of asymmetric attacks by keeping the trend of decreasing cybersecurity vigilance, the EU would never be cyber-proof and no personal data would ever be safe, no matter what procedures and tools are developed and introduced by cybersecurity authorities at a national or EU level.
To develop an innovative, structured security awareness programme that delivers the desired change in employees' behaviour towards data protection, governments and organisations need to first and foremost cultivate a security culture. Security needs to be woven into an organisation's DNA and upheld by everyone - from the cleaners all the way to the CEO. Yes, changing habits is hard. Yes, it will require from all a certain amount of time and patience to adapt to new security practices and security products, but this is essential in the rapidly changing cyberthreats landscape that we live in. Charles Darwin wrote in his book On the Origin of Species that it is not the strongest that survive, nor the most intelligent, but the ones most responsive to change. This observation is imperative not only for the species, but also for businesses, governments and - at any rate - humans. And it highly concerns the cybersecurity, since it is no longer a matter of choice, but of survival.