The biggest blind area of network security: “human vulnerability”

In the modern enterprise network security defense system, personnel is the weakest link, but also the link that is least valued. In other words, personnel are the “loopholes” that hackers are most likely to break through and exploit, and they are also the short board with the least investment and the slowest improvement in enterprise security. The 2020 global enterprise security survey results of gosecurity directly reflect this problem: < / P > < p > for a long time, the state-level hackers with half a dozen day vulnerability gems on their gloves and three doctor’s caps on their heads are considered to be the most dangerous species in cyberspace, and enterprises are also keen to purchase the most advanced network security technologies and solutions and try to improve them Security tools integration and automation level. However, the reality is just like the above survey data: the most effective network security measure is to enhance the safety awareness of employees, but the budget for staff security awareness training is the least. This leads to a global network security blind area and paradox: human vulnerability is the most dangerous and easy to repair vulnerability, but also the most difficult to repair. < / P > < p > it is not difficult to understand that “human factor” is the theme of rsac2020 network security conference, which focuses on the most cutting-edge network security technology products. This sets the tone for the development theme of the network security industry in 2020: the long neglected personnel security awareness and related management issues have become the biggest “security debt” of the network security industry and the enterprise community. < / P > < p > in 2020, the most significant trend of cyber crime is industrialization and “marketization”, “cloud crime”, “crime as a service”, “sharing crime”, “incident crime”, “precision crime”, etc., continuously lowering the technical threshold of network attacks such as apt, blackmail software, artificial intelligence, botnet and BEC email, so as to let more people who are good at taking advantage of “human vulnerability” At the same time, the weakness of enterprise network security, personnel awareness, is facing more complex and dangerous threats than in the past. < / P > < p > in 2020, the security threats and incidents with the most serious potential damage and loss are often related to “personnel loopholes” or internal threats. From the deletion of databases by Weimeng to large-scale account hijacking by twitter, from Honda’s shutdown to global supercomputer collective mining With the epidemic spreading all over the world, telecommuting will become the “new normal” in the next decade. When a large number of employees go out of the firewall and go back to work at home, the attack surface faced by enterprises will be magnified geometrically. The network attack launched by taking advantage of human vulnerability can easily paralyze the global business of a multinational company. < / P > < p > according to the release of Lvmeng technology in March this year, 1 / 3 of the security incidents in 2019 are related to the negligence of security management or the weak security awareness of employees. Among the security incidents handled in 2019, weak password events accounted for 22%, phishing mail related incidents accounted for 7%, and improper configuration events accounted for 3%. The total number of security incidents related to people and management accounted for 1 / 3 of the total Weak management and insufficient safety awareness of employees are vulnerable to be exploited by attackers. < / P > < p > in the first half of 2020, the global telecommuting caused by the epidemic situation further magnified the threat from “human vulnerability”, and the market demand for security awareness services began to grow rapidly. In the United States, the world’s largest cybersecurity market, knowbe4, a start-up in cybersecurity awareness education, has an annual revenue of more than $100 million, and its business grew 40% year-on-year during the first quarter of 2020. < / P > < p > according to a tessian report, 33% of employees in the United States and the United Kingdom make security mistakes at work, posing a network security or data security threat to themselves or their companies. The report points out that human errors have become the main cause of data leakage today, and further studies why people make mistakes and how to prevent them before they do: < / P > < p > when asked what types of errors they made, a quarter of employees admitted to clicking on links in phishing emails at work. Employees aged 31 to 40 were four times more likely to click on Phishing emails than those over 51, while men were twice as likely as women to click on Phishing emails. < / P > < p > 47% of employees think that distraction is the main reason for successful phishing fraud. This was followed by the fact that the e-mail looked realistic and legal, with 41 per cent disguised as emails from senior executives or well-known brands. < / P > < p > in addition to clicking malicious links, 58% of employees admitted sending work emails to the wrong recipients, of which 17% were sent to the wrong outsiders. < / P > < p > this simple mistake can have serious consequences for individuals and companies who must report the incident to regulators and their customers. In fact, one in five respondents said their company had lost customers by sending the wrong email, while 12% of its employees had lost their jobs. < p > < p > the main cause of email security incidents is fatigue, followed by distraction. 57% of respondents said they were more distracted when working from home, and a sudden shift to telecommuting may make businesses more vulnerable to security incidents caused by human errors. < / P > < p > the report’s findings require companies to understand the impact of stress and work culture on human error and cyber security, especially in view of events in 2020. Employees reveal that they make more mistakes, get tired, distract and work faster when under pressure. < p > < p > therefore, it is worrying that 61% of the respondents said that their company had a culture of dedication, which made their working hours beyond the normal range, and 46% of employees experienced job burnout. “Understanding how stress affects behavior is crucial to improving network security,” says Jeff Hancock, a Stanford University professor and social dynamics expert < / P > < p > in 2020, the workplace is under unprecedented pressure, but worse, hackers are taking advantage of this vulnerability. As a result, companies need to train their employees to understand how hackers use pressure during this period of time and the security incidents that human errors can lead to. ” < / P > < p > the report shows that people of different ages, genders and industries have significant differences in their network security behaviors. The “one size fits all” network security training and awareness methods can not prevent the occurrence of human error events. The results of the survey included: < / P > < p > & middot; half of employees aged 18 to 30 said they had made mistakes that could affect the company’s network security, compared with only 10% of employees over the age of 51. < p > < p > & middot; 65% of 18-30 year olds said they had sent an email to the wrong recipient, compared with 34% of people over 51. < / P > < p > & middot; 70% of the employees who accept and click on Phishing emails are young people between the ages of 18 and 40. In contrast, only 8% of people over the age of 51 said they had done the same thing. < / P > < p > & middot; employees in the technology industry are most likely to click on links in phishing emails, with 47% of respondents in the industry admitting they did. This is followed by employees in the banking and financial sectors. Tim Sadler, chief executive officer of tessian, said: “cyber security training needs to respect the fact that the network security behavior patterns of the new generation of employees are very different, and it is unrealistic to expect every employee to discover fraud 100% or make correct network security decisions at any time.” < / P > < p > in order to prevent simple errors from evolving into serious security incidents, enterprises must give priority to network security at the human level. This requires understanding the individual behavior of employees, and tailor-made training and policies, so that the safety network security practice becomes an organic part of corporate culture, rather than a ritual routine. Fifth personality will be updated, please remember your game account, otherwise you may not be able to play normally