September 2022 Issue: Co-operator Newsletter Quarterly Issue 2022

“To be a human is to err”: the roles humans play in cybersecurity breaches

“To be a human is to err”: the roles humans play in cybersecurity breaches
Caption: “To be a human is to err”: the roles humans play in cybersecurity breaches

With increasing dependency on technology and digital systems over the years, societies and organisations have shifted how they function. The same technology that affords opportunities and interconnectedness to businesses to scale also exposes them to harmful cyber risks. Today, it’s not surprising that cybercrime incidents have skyrocketed, prompting organisations to take necessary precautions to bolster their security.

In late July, the Smart Nation and Digital Government Office reported a sharp 65% increase in government data incidents, from 108 cases in FY2020 to 178 cases in FY2021. This increase mirrors what the private sector sees and what is happening globally, where the exchange and use of sensitive data have become increasingly common. According to the Global Risks Report released by the World Economic Forum this year, it was revealed that 95% of cybersecurity issues could be traced back to human error, which may run the gamut from staff clicking on phishing emails to falling prey to impersonation scams.  

Humans are the weakest link

Employers, employees and other relevant stakeholders are inherently responsible for an organisation’s cyber health. “Employees have, and need, access to business-critical information in order to perform their roles and responsibilities,” says Ms Raen Lim, an EXCO member for the Singapore National Co-operative Federation (SNCF), on why staff are the weakest link in an organisation. Ms Lim, also the Group Vice President of San Francisco-based technology company Splunk, adds: “(Staff members) are often targets of malicious attacks.”

SNCF x Splunk x delaware Singapore collaboration
Mr Christophe Derdeyn, a partner at IT consultancy delaware Singapore, says: "Employees tend to get careless when they perform manual and mundane tasks."

Mr Christophe Derdeyn, a partner at IT consultancy delaware Singapore, echoes the same sentiment. He posits that organisations are becoming increasingly vulnerable because the hackers’ tactics are now even more sophisticated. On why employees may have unknowingly fallen prey to cyber-attacks, he added: “Employees tend to get careless when they perform manual and mundane tasks repeatedly. They might have mistakenly accessed a cyberthreat as they prioritise efficiency rather than meticulousness.”

The pandemic did not make it easier for organisations to effectively amp up their defences too. In its 2022 State of Security Report, Splunk—which produces software for searching, monitoring and analysing machine-generated data—revealed that 65% of organisations worldwide have seen a measurable increase in attempted cyber-attacks, with 49% of these companies suffering data breach over the past two years. “Some of these cyber-attacks may even be attributed to remote working,” Ms Lim says. Employees working from home may have allowed their children access to their work devices for home-based learning, video streaming or gaming, or even sending company information to the wrong parties.  

Besides a lack of security awareness, inadequate software security can be another reason employees are particularly vulnerable. Some organisations may use outdated, legacy software just because they are familiar with them, potentially leaving organisations vulnerable to cyber-attacks. Technological solutions and software require constant updates to function optimally. Some employees may disable such security updates, thinking it hinders their daily operations, when doing so does more harm than good.

How to overcome risky human errors

Raen Lim is an SNCF EXCO who is also Splunk's Vice President for Asia Pacific
Ms Raen Lim, an EXCO member for the Singapore National Co-operative Federation (SNCF) and the Group VP of Splunk, says: "Regular employee engagement and security awareness training are important to create a security mindset amongst the employees and to motivate them to remain vigilant to cyber threats and countermeasures."

To strengthen an organisation’s cyber-resilience, leaders need to understand that digital trust is a currency that fosters growth and innovation. More importantly, they must step up and encourage staff members to upskill themselves with cybersecurity know-how.  

So how can you overcome these risky human errors? Both Mr Derdeyn and Ms Lim suggest getting acquainted with some of the human behaviour that may put organisations at risk of cyber threats. Ms Lim adds: “Regular employee engagement and security awareness training are important to create a security mindset amongst the employees and to motivate them to remain vigilant to cyber threats and countermeasures.”

Check out some of these familiar sources of human errors below:

Poor password hygiene

Many cyberattacks use stolen credentials to breach an organisation’s internal network. Employees who practice poor password hygiene are particularly susceptible to these attacks. Ms Lim argues that employees who use weak passwords, reuse passwords, and share passwords with others put organisations at risk. “Unfortunately, these passwords can be hacked within a second, and hence does little to protect the organisation’s systems and data,” she says.

Victims of Social Engineering

Sophisticated and new modes of technology have enabled bad actors to enact more elaborate forms of cyberattacks. For instance, the use of deepfake technology—particularly rampant on social media, this technology can replicate someone’s identity through tools to spread false information—can be employed in social engineering ploys.

“Employees may sometimes find themselves as victims of social engineering,” says Ms Lim. Social engineering in cybersecurity refers to the use of deception to manipulate victims to divulge classified or personal information. One of the common forms of social engineering is email phishing.   

How to further improve an organisation’s cyber-resilience

Delaware Splunk SNCF collaboration
Caption

Recognising some familiar sources of human errors may be a step in the right direction, but here’s what you need to know to strengthen the cyber-resilience of your organisation for the long haul.

Advocating for better passport hygiene

Strong passwords can help keep your online accounts and personal information safe. A strong password should always contain a mix of uppercase (ABC) and lowercase (abc) letters, numbers (12345), and some special characters (!?@%$#). According to the Cyber Security Agency of Singapore (CSA), a strong password should comprise at least 12 characters. Organisations can look to incorporate two-factor authentication to add an extra layer of security too. Most importantly, it is equally crucial for you to change your password every three months.  

Ensuring checks and balances

Ms Lim suggests organisations should look into having more controls put in place to prevent human errors. She says: “Access to IT systems and information should be based on the principle of least privilege. Controlling the data and access to IT systems by employees can limit the chances of them falling into the wrong hands.” Email security solutions can also be leveraged to filter phishing emails and minimise employees’ exposure.

Mr Derdeyn, however, encourages organisations to embrace automation to overcome lapses. He also adds: “It is important for organisations to conduct regular audits and identify the gaps which are most prone to human errors.”

By Sng Ler Jun

If you haven't already, follow SNCF at Click here to sign up to be a co-operative in Singapore or sign up for our newsletter.

Who we are

SNCF is the apex body of Singapore’s Co-operative Movement, and secretariat of the Central Co-operative Fund (CCF). Formed in 1980 with the aim of championing Singapore’s Co-operative Movement, the apex body represents majority of co-operative members in Singapore through its affiliated co-operatives.