VIEW 14
Cyber vulnerability pyramid
Vulnerability to cyber risk can be thought of as a pyramid with three parts. At the bottom layer is the technology component: the devices, the network, the firewall and all the other parts of the IT infrastructure. The mistake that many companies make is the belief that cyber risk belongs ‘down there’; that it is solely an IT issue and something for that department to sort out on its own. But there are two other layers of equal, if not greater, importance.
The next layer up is the process layer. There is always a debate in organisations about finding the best balance between resilience and efficiency. Security measures have an overhead cost, both in time and money, and are often viewed as an obstruction to business rather than an enabler. Process vulnerabilities normally stem from a misalignment between security procedures and business objectives. Processes may have been defined only to be ignored or only partially implemented. This is where executive buy-in is key. Department heads should not only lead by example but also providing constructive feedback to get the security vs efficiency balance right.
To err is human
At the top of the pyramid is the people layer. This can be seen as the area of greatest vulnerability as 90% of cyber security incidents are reputedly caused by human error (6). This can be either accidental as in a ‘fat finger’ error (See View #21) or malicious (See View #19). The vulnerability in the latter case at the people layer is known as social engineering. This is the psychological manipulation of people to get them to divulge confidential information such as log-in credentials. It exploits human curiosity by getting people to click on an interesting looking link which then secretly installs malware in the system.
These are known as phishing attacks and come in these varieties:
Phishing An official looking email which looks like it comes from, say, your bank. It’s really a scam to get your account passwords or credit card details.
Spear phishing This is a targeted version of phishing directed at a single individual rather than a mass email list. Carefully crafted after research on social media sites, they target high profile people in key roles.
Vishing Voice based phishing using the phone rather than email.
Smishing As above but using SMS messaging on a mobile phone rather than email.
The best defence against these attacks is user awareness training; teaching people not to click on dodgy links in emails. We leave the last word on the social engineering threat to the cyber security expert Bruce Schneier and his famous aphorism:
“Only amateurs attack machines, professionals attack people”.
