Why humans are the weakest link in cybersecurity

17 July 2019

Corporates seeking to protect digital assets must face an uncomfortable truth: the biggest threat to cybersecurity lies within the company. Mus Huseyin explains


Hackers prey on humans’ psychological flaws, targeting them as the “weakest link” in the cyber chain. There are increasingly sophisticated ways of abusing trusted employees and, in today’s turbo-charged world, our quest for “cognitive efficiency" makes us particularly vulnerable.

Since many business processes still require manual, human input, exploiting this weakest link remains a fertile field for hackers.


How cybercriminals exploit weak links

Our desire to quickly process information with minimal effort has created a unique vulnerability in the digital age. To breach an entire security network, all it takes is a moment for an exhausted or distracted employee to be duped by an email, which may appear perfectly legitimate at first glance, but is really a spear-phishing scam in its most sophisticated form.

Cyber fraudsters often leverage technologies that are more advanced than those deployed to stop them. Even the most diligent CEOs are vulnerable to these attacks, which employ highly sophisticated methods of deception. Scamming groups such as London Blue, which dupes money out of C-suite executives, have become all too common.

These attacks take a significant toll on businesses. McKinsey estimated that globally banks would lose in excess of $31bn for 2018. The FBI estimated that business email compromise – in which fraudsters pose as company executives or suppliers to trick employees into transferring payments to attacker-controlled bank accounts – cost $12.5bn+ between 2013 and 2018.

It’s not just finances that are taking the hit; the potential legal ramifications are huge. Public multinational companies are required to have adequate policies and procedures in place or risk facing fines, disgorgement, injunctions, disbarment, etc imposed by the Financial Conduct Authority and the Serious Fraud Office.


How companies are making the problem worse

In believing that general investment, increased human resources, or a culture of risk awareness will solve the problem, companies can be lulled into a false sense of security. They expend an average $2,000 per full-time employee on cybersecurity a year and put internal controls in place that aim to align various functions, such as fraud prevention, IT security and compliance, into a more cohesive group. These measures alone cannot eradicate human vulnerability.

Even the most conscientious employees make mistakes, and hackers know that a single slip-up is all it takes to expose a business to a massive cyber fraud. Having humans cover for human flaws is a self-defeating proposition. Companies must ask themselves: Does it make sense to continue relying on fallible humans to stop these attacks?

We know that pitting humans against technology can only work for so long – eventually, Deep Blue will win. Companies must look towards new, innovative methods of protection.


Future directions – is it time for a new paradigm?

Companies must rely less on employee diligence and training – as well as internal controls and procedures – since these are all fallible and imperfect ways to protect financial assets. They are ultimately "too traditional" to cope with the constantly evolving threats posed by the Digital Age. Instead, they must do everything in their power to prevent an attack from becoming monetized – after all, monetary gain is the ultimate objective in the vast majority of cybercrimes.

Technology can help companies achieve this end. Employing autonomous anti-fraud technology that enforces best-practice compliance can bolster human capabilities, bypass human error (socially engineered or otherwise), and also act against any internal threats in cases when controls are sidestepped and privileged access is abused. Furthermore, by deploying fraud prevention technology that begins with the payment’s point of origin, companies can amplify their payments fraud resilience by ensuring full authorisation prior to a bank transfer. This baseline then becomes a constant standard of "truth" along the transaction journey – ie during a transfer and at execution – preserving the integrity of payments information. In taking these steps, beneficiary payment data is protected, extinguishing the possibility that cybercriminals will be able to hijack and redirect payments to monetise their fraud efforts.

The future of cybersecurity rests in our hands – but only metaphorically speaking. Accepting our human weaknesses is a big step towards acknowledging the problem and opening our thought process to innovation – ultimately leading to removing ourselves from the cyber chain and adopting technology to innovate fraud protection and safeguard the financial security of your company.


About the author

Mus Huseyin is head of UK and EU at nsKnox

Scroll to top