“You are the weakest link, goodbye…” For those old enough to remember that line, you’ll also be suffering from the “Humans are the weakest link” message that gets continually trotted out. Most organisations and many governments attempt general awareness campaigns but this mostly falls on deaf ears. I’m in favour of a two pronged approach: 1. Put targeted awareness campaigns in place for those with the riskiest behaviour and the highest consequences of compromise (see ‘Deal with human risk’ on glock.co.uk ); 2. Establish controls which mitigate the behaviour of those that, no matter what you do, will always ‘click the dodgy link’…:
Most data threats to the public sector come from attacks on people rather than the organisations, and it requires a new approach to mitigating the threat.
Figures from the Information Commissioner’s Office on UK incidents over the first half of 2020 show that within public sector organisations over 80% of reported incidents were classified as ‘non-cyber’. The majority of all incidents came from inadvertent disclosure of data, and the trend has been for malicious action to be targeted at end users rather than the organisations. It’s not about ‘damage and destroy’ but obtaining personal details on people for the creation of false personas.
Probably the most valuable information an actor can obtain from an individual is a national insurance, NHS or passport number, and data thieves have become clever at deceiving people into giving up these details. They are sending emails with false domains and links to websites to persuade the public, and public sector employees, to enter information that can be abused.