The Aon ERM Centre of Excellence teamed up with Rudi Dicks, senior cyber consultant at BDO Forensics and Cyber Lab, to demonstrate how employees are the biggest cyber security threat.
According to Rudi, the easiest way to hack into a network is by exploiting the one vulnerability most often left unpatched, human nature.
Why bother fighting through all the security management systems deployed by a competent IT department, when instead a hacker can get an employee to click on something they shouldn’t and gain full access to the infrastructure, bypassing all the costly and very best security measures?
It’s much easier than people think. Here’s how:
Method 1: Using the LinkedIn platform, a hacker will search for employees of a target company with more than 500 professional connections. They then pick one of these employees – let’s say Joan, in HR – as the target of their attack. The hacker sends Joan a fake e-mail notification from a high level executive, the head of HR for a big bank for example, wanting to connect with her. Joan, who has already received many such requests, won’t think twice about clicking on the link.
At this point, unless the IT department is up to date on every single patch (including Joan’s favourite browser, something that usually must be done manually on each machine), the hackers have gained access to her machine. They have bypassed the firewall and anti-virus and can read or copy any information Joan has access to, including her cloud storage, mail and documents. They can even turn on her webcam to see whether she is at her desk or record her keystrokes.
Hackers exploit human nature. They know that people are generally helpful and curious and hackers don’t hesitate to use this to their advantage. Joan is not a bad person, and it’s nothing personal, but more often than not, she is their key to the “good stuff”.
Method 2: A hacker walks up to reception wearing a suit and a tie and pretends to be flustered. “I’m here for an interview and I’ve just spilled coffee on my CV. I have to make a good first impression! Please could you help me print a copy of my CV from my memory stick?”
In goes the memory stick and she runs the programme that looks like a PDF file (but it isn’t). She is understanding and sympathetic when the file doesn’t open, and eventually, in exasperation the hacker tells her he’s going to run back to the car to look for another copy. Job done!
He now has access to her machine and can use this to gain access to other computers on the network because who wouldn’t open an email from their friendly receptionist?
Method 3: Hackers leave USB memory sticks lying around their target’s offices or parking lot if the building is access controlled. The stick is clearly marked as ‘confidential’ or even ‘payroll’ – who can resist?
If employees haven’t been taught better, someone will plug that stick into their computer and run the hacker’s file, giving him full access. All he has to do is play to human nature.
How to address the problem?
Part of the problem is in the question. Technical people try to solve people problems with technical solutions. IT departments get into a cat-and-mouse game with attackers by installing new tools to prevent cyber attacks, while hackers simply write new exploits and code that circumvent those tools.
A far better approach is education. Cyber awareness training shows employees how they can be exploited and what to do to prevent it, drawing on real case studies. Effective, ongoing education is key to employees being the greatest asset in the fight against cyber crime.
Aon South Africa,