12 February 2024 - Neil Camden, Solutions Architect

Cybersecurity and “The Human Layer”

In order to explain complex concepts, networking and security is often broken down into layers. At its most basic, the 7-layer OSI model will be familiar to anyone who has worked in networking. It starts at Layer 1 (Physical), which covers cabling and connectivity and moves through various concepts up to Layer 7 (Application), which details how data is presented to an end-user. But what about the user sitting at the computer running the application?

 

Cybersecurity and “The Human Layer”

Layer 8 (“The Human Layer”) has been unofficially added to the OSI model by many people, particularly IT teams and Service desks, who need to factor in the behaviours at this level when troubleshooting issues. It is also vitally important to application and web developers, who need to understand how users interact with the computer interface.

Human error is often the root cause of many computer issues and anyone who has worked on a service desk will be familiar with terms such as an “ID-ten-T” error (1D-10T/ "idiot"), PICNIC ("Problem In Chair, Not In Computer") and IBM error ("Idiot Behind Machine”).

Whilst these can be amusing, when you factor human behaviour into modern cybersecurity challenges and strategies, it can be devastating technically, financially and for business reputation, if human error is allowed to initiate or enable a security breach.

Firewalls, endpoint protection, web proxies and malware protection are all critical pieces of technology designed to protect your organisation from cyberattacks. But all the technology on the market cannot give 100% protection. Be very wary of any supplier who says it can!

 

Cyber Criminals and Their Methods of Attack are Becoming More Sophisticated

The attack path for this can be via malicious web pages, “Evil Twin” WiFi networks or SMS messages, but the most common route is via email.

People tend to believe that if an email reaches their corporate inbox, it is secure. They will (rightly?) think that it has been through a company scanning process and has been deemed “safe”. It is simple human nature to enjoy receiving nice things and email is the easiest way for attackers to reach individual end users, either by wide-ranging spam emails, or via more targeted “spear phishing” emails, often directed to users with privileged access (think CEO, payroll manager, HR director, IT administrator).

One cybersecurity training company noted that 25% of users who received a “Dropbox document share” link via email opened it. A supposed Amazon Gift Card link fooled 21% and anything with Google or Microsoft mentioned got a 17% hit rate. People want to trust.

Being deceived by an attacker, or making a simple mistake are the most common ways that users impact cybersecurity, but there is also the problem of malicious “insider threats”. These are employees or individuals with insider access to an organization's systems and a desire to steal data or carry out an attack. These users are often “trusted” by security platforms and are notoriously hard to find.

When you also consider that in this time of Hybrid working, users often work outside of the corporate environment (at home, on the train, in a coffee shop) and are often using their own personal mobile devices, the challenge of managing the Human Layer becomes complex and sprawling.

 

So how do you add security to the Human Layer?

If you work to the “Assume Breach” principle (and you should), then you assume that at some point (maybe already), your security infrastructure will be breached.

By putting in systems that log all behaviour (particularly by Privileged Users) and access to critical systems, you stand the best chance of spotting unusual patterns and can stop breaches quickly, often before any payload or malicious damage is carried out.

Platforms such as Privileged Access Management (PAM) and Managed Detection & Response (MDR) can help to spot these unusual patterns and will often leverage AI, which is particularly good at spotting human-like behaviour. This is far more effective than legacy methods of using lists of known threats and signature databases.

Principle Networks work with multiple vendors that provide these services and we are highly experienced in incorporating them into our network and security Managed Services. Get in touch if you would like to add another layer of security to your existing infrastructure, or even if you are starting afresh.

Alongside this, the National Cyber Security Centre (NCSC) and other governing bodies strongly recommend regular awareness training for all employees, to educate them on everything from spotting phishing, through to how to report a potential attack. Many compliance standards such as ISO27001 and Cyber Essentials detail how to best protect the Human Layer and we would recommend adherence to one or more of the available Frameworks. 

The Human Layer is arguably the most important layer in any business. Make sure it is not the weakest link in your business and instead empower it with the right tech and security tools to help build and grow your business safely.