Human Risks
Academy

Human Risks

4 min read

Human Risks

1. Insider Threats

An insider threat occurs when a current or former employee, contractor, or business partner misuses their legitimate access to an organization's assets or information. This misuse can negatively impact the organization's confidentiality, integrity, or availability. Insiders pose significant risks because their trusted status allows them to bypass standard security measures. The threat can be malicious (motivated by financial gain or revenge) or unintentional (caused by negligence or error).

Set of controls:

  1. Alert when plugging a USB into a computer or server rack.
  2. Alert when someone emails from their work email address to their personal email address.
  3. Grant users only the minimum access rights necessary to perform their job duties, and no more.
  4. Encrypt all data within the company, both in transit and at rest.

Training program:

The insider threat training program addresses both malicious and unintentional insider threats. Its primary goal is to educate employees, contractors, and partners on threat types and their impact. The training will feature modules on understanding the psychological elements behind insider actions and recognizing behavioral indicators. The program will also cover best practices for data handling, the principle of "least privilege" access, and secure offboarding procedures. The program focuses on establishing a security culture where everyone understands the risks and protects company assets. Then there will be security professionals to assess the effectiveness of the training program through regular simulated tests and by monitoring incident reports.

2. Third Party Risk

Third-party risk is the threat posed to an organization's systems or data when a security vulnerability at an external partner (such as a supplier or service provider) leads to a compromise. This risk is significant because the organization lacks direct control over the vendor's security practices, meaning any weakness in their defenses can provide a direct pathway for an attacker to breach the organization's network and potentially move laterally into other internal systems.

Set of controls:

  1. All cloud services use infrastructure as code.
  2. Connections from compromised vendor systems are immediately isolated.
  3. Inventory and monitor all vendors used in the company.

Training program:

The program will include separate modules for procurement, IT, and security staff. These modules will focus on vetting new vendors and securely configuring access in accordance with the Principle of Least Privilege (PoLP). It would emphasize training on contractual security requirements and the human errors involved in misconfiguring network segmentation between the company and the vendor. The assessment will involve role-playing scenarios for vendor on-boarding. Additionally, it will include auditing IT configurations to ensure that proper security policies are applied, preventing any initial security weaknesses.

3. Social Engineering

Social engineering is a risk that involves manipulating human behavior to achieve a specific goal. In this tactic, an attacker deceives individuals into revealing sensitive information or taking actions that compromise security. Unlike technical attacks, social engineering exploits human psychology rather than software vulnerabilities. The impact of the risk is high because it exploits a combination of human weaknesses. The core vulnerability is not a software flaw but rather human nature, including emotions, lack of awareness, and a willingness to be helpful or trusting.

Set of controls:

  1. Be very skeptical when a new person enters either a public or a workplace setting.
  2. Verify credentials when at work, especially if someone has never met another person before and they request access to a building.
  3. Read carefully the email that was sent from an unknown email address, look out for bad grammar, different fonts, or font sizes.
  4. Verify that the URL in the email has 'https' and not 'http'.
  5. Do not click on email attachments hastily. 

Training program:

The training program will consist of a series of social engineering simulations involving vishing, phishing, smishing, and spear phishing, targeting different employees. Every three months, employees will undergo a mandatory training program that covers all risks associated with social engineering. Then randomly throughout the three months, employees will be tested by a simulation developed by the offense security team. Employees who identify and report a simulated attack, such as smishing, phishing, vishing, or spear phishing, have two hours to do so. Those who report within this timeframe will automatically be entered into a monthly prize drawing. Incentives: Small, rotating prizes (e.g., gift cards, a premium parking spot for a week, lunch with a manager, company swag).

4. Human Error

Human error risk occurs when someone makes a mistake in their task or makes an incorrect judgment. Human error or risk can be triggered by fatigue, distraction, poor interface design, or very rigid and complex procedures. These human errors occur not only in cybersecurity but also in physical security.

Set of controls:

  1. Role-based training to address different departments in the company.
  2. Enforce easy-to-follow policies and procedures.
  3. Foster a no-blame company culture. When mistakes occur, provide time for reflection and guidance to help employees learn from the experience.

Training program:

The training program will include a monthly awareness session, during which participants can provide feedback on existing security procedures. Different company divisions will present the monthly training, focusing on their specific security procedures. This structure will allow employees to ask questions directly to division leads. Employees will gain a clear understanding of the specific risks linked to each department.

5. Negligence and Poor Practices

Negligence and poor practices risks could be poor security hygiene. A company with a weak password management system may result in easy access to critical parts of its organization. Humans can also fail to patch a system when critical vulnerabilities exist, which can lead to supply chain attacks. A company may have poor security policies, which can lead to a lack of penetration testing, potentially increasing internal and external vulnerabilities. Poor policies and procedures can also increase the likelihood of an insider threat due to inadequate oversight and monitoring within the company.

Set of controls:

  1. Use an encrypted password manager.
  2. Automated patch management for all devices within the company.
  3. Data loss prevention (DLP) monitors, detects, and blocks sensitive information from being copied, printed, or transferred off the network.

Training program:

The Security Mentor program is designed to address the risks associated with poor security hygiene, including weak password management and failure to patch critical systems. It directly counters these risks by utilizing top-performing employees as volunteers. These mentors provide tailored support to high-risk colleagues, helping to address issues like negligence and a lack of proper security practices. The program enhances organizational security by providing mentors with recognition and opportunities for development. This strengthening of internal oversight and monitoring helps reduce the likelihood of both internal and external vulnerabilities.

Roguetrace