Featured image for “The Human Element of Cyber Security”

The Human Element of Cyber Security

November 2, 2019

As we live in an extremely dynamic world, where new information and ideas are exchanged at a very fast pace, we should be aware of the importance of data protection and security. In the age of the Internet and new technologies, we are faced with various types of cyber threats, risks, and attacks.

When it comes to cyber-attacks, one of the biggest challenges is the human factor. No matter what levels of protection a company implements, regardless of the processes and technologies it uses, it almost always comes down to the human element, because the one thing throughout history that has always been ‘hackable' has been humans. This is where social engineering comes in. Social engineering is a relatively new term for what we know better as phishing, baiting, or hacking. Social engineers are con artists who don't target a company's firewalls or any other defense technologies, but they focus on the most vulnerable element of a company – its employees.

Human error is the primary cause of more than 90% of cybersecurity breaches. Studies show that more than nine out of ten attacks happen because an employee has clicked on a bad link or put their credentials into a malicious site, which allows an intruder to put a foot in the door and proceed with the attack.

Attackers generally use all possible methods to trick the user into launching an unwanted program or application, thinking it is part of the user experience or legitimate software. Attacks are mainly aimed at installing unwanted software like viruses, spyware, crypto miners, and others. The most common way for users to accidentally run malicious software on their systems is by opening infected applications and attachments in email messages, or interacting with suspicious LinkedIn invites, PayPal notifications, and even Facebook friend requests.

Common Reasons For Human Error in Cybersecurity

In most cases, employees violate cybersecurity rules not of their own will, but in order to perform work tasks. These are some of the most common reasons why this happens:

  1. Lack of knowledge. – Over 90% of cyber-attacks start with phishing. The fact that many employees “fall” for phishing scams clearly indicates a lack of knowledge and training to recognize the threat. The same goes for non-compliance with corporate policies when employees do not use adequate protection for their computers when on the road, download risky applications, or store data in unprotected public cloud storage.
  2. Poor user password practices. – This is particularly risky because if one account is compromised, the attacker can easily access a wide variety of files. This happens because employees use obvious passwords, fail to update their passwords regularly, and share their passwords with others.
  3. Convenience. – Often employees are aware that they are breaking the rules, but they do it anyway out of convenience. They are willing to share sensitive, confidential, and secret information when they think it will get the job done faster and more effectively.
  4. Misdelivery. – A typical scenario in which an employee sends an email containing confidential data to the wrong recipient.
  5. Negligence. – Employees often allow their friends and family members to have access to their work-devices at home. This is a highly risky behavior since a family member can accidentally download malware that could access bank accounts, corporate data, and storage.
  6. BEC or CEO fraud. – One of the scams that brought cybercriminals billions of dollars in previous years is the so-called BEC fraud – Business Email Compromise. It is a sophisticated attack in which cybercriminals call or send emails, posing as a high ranking figure within the company, and trick employees into transferring large sums of money to them, exploiting their desire to be helpful and playing the ‘urgency' card.

Cybersecurity Service – Make Security a Priority

Potential cyber-threats are continually evolving and always come up with new ways to take advantage of employee weaknesses. Careless and rash actions of the employees can lead to severe damage. One bad click can cause data leakage and failure or complete cessation of production processes, resulting in a substantial financial loss for companies. Fortunately, companies are aware of this problem. They are trying to solve it by training their staff and creating different rules of conduct.

Cybersecurity companies are focusing on educating employees to raise awareness about the risks they are exposed to daily. The employees need to learn how to detect and respond to potential threats to minimize the effect of cyber-attacks. As an indispensable factor in reducing damage to the organization, the education on safe behaviors should be included in the hiring phase, and take place continuously during the work process.

No company is immune to cybercrime. Therefore, every organization should prioritize security because an investment in security is an investment in the company's future and progress. 


Is your company safe?

Joel Cahill is the Co-Founder and CEO of INFIMA Cyber Security. INFIMA is a research-based approach to cybersecurity. Hacker’s schemes are no more with this state-of-the-art security program. They tackle the security so their customers can focus on what needs attention. INFIMA focuses on combining the latest advancements in technology with research on behavior and security, delivering a product that breeds meaningful change in your employee security in the simplest way possible.


Learn more about how INFIMA Security can protect your company by listening to this episode of The Thoughtful Entrepreneur above and don’t forget to subscribe on   Apple Podcasts – Stitcher – Spotify –Google Play –Castbox – TuneIn – RSS.

More from UpMyInfluence

Don’t forget to check out our other podcast, Authority Confidential, here.

UpMyInfluence is an Influence Agency dedicated to turning thoughtful entrepreneurs into media celebrities increasing their authority, influence and revenue. To learn how we can help YOU check out Josh’s free webinar.

Connect With Us

Instagram | Twitter | Facebook | LinkedIn

[toggle title='Read the Transcript' state=‘closed’ icons=‘fontawesome-plus/fontawesome-minus’ margin_top=‘20’ margin_bottom=‘20’]

Welcome to the thoughtful entrepreneur Show. I'm Josh Elledge, founder and CEO of up my influence.com. We turn entrepreneurs into media celebrities, grow their authority, and help them build partnerships with top influencers. We believe that every person has a unique message that can positively impact the world. stick around to the end of the show, where I'll reveal how you can be our next guest on one of the fastest growing daily inspiration podcasts on the planet in 15 to 20 minutes. Let's go. Alright, Joel Cahill, you are the co founder and CEO of INFIMA, cybersecurity, which is based here in Orlando, which is where I happen to be. Now, I really want you to explain what in FEMA is because I think the concept is so super smart. And I'm really excited for you guys because I think you're positioned in such a great way. For what is just a part of our lives now, and and I mean, if I'm looking at my crystal ball, I think it's going to be a bigger and bigger and bigger part of our lives a daily part of our lives. And that has to do with cyber security. But you guys have a really interesting approach or an interesting solution to helping mitigate. What like 90% of the problem? Is that right?

Yeah, the there's a big problem out there. You're absolutely right. And we don't we don't see. You know, you don't wake up at this point. Unfortunately, don't wake up without any new headlines of more attacks. And so, you're right. Our solution is focused on the human elements and cyber security which do makeup over 90% of these attacks. You know, it is more than nine out of every 10 attacks only happens because and after an employee has clicked on a bad link put their credentials into a malicious site. And that gives the attackers a foot in the door to that to leverage that attack.

And so, and I think that that's people may not be aware of just how huge of a percentage the human element is. Is it just much easier for hackers to do it that way?

You know, a lot of it is that there's been a lot of there's been a lot of money spent on technical solutions. And so most organizations have great technical solutions, whether it's, you know, antivirus spam filtering, firewalls, so you can't just brute force your way in as much as it kind of the movies portray the guy in a dark, right? Yeah, right. It doesn't happen. But the one thing throughout history that has always been, you know, hackable has been humans. That's where social engineering is. This new term for what we always would call a con man. And there have been a whole lot of those throughout history. And they just take different shapes based on on social norms. But we, as humans, we want to believe things, we actually have to believe things otherwise we can't actually create community. And the internet, unfortunately, because of its anonymity, it gives rise to these issues where somebody can parade around to someone else.

So Joel, I think a lot of us say, well, that only happens to other naive people. That never happens to us. But can you kind of share some examples of just how crafty some of these hackers are?

Yeah, you know, we was one of the nonprofit's we we do work with. We had that kind of same conversation. And so you know, where the friend who runs it said, hey, look, we're pretty sharp. We have a really sharp organization and they do an awesome organization. said, okay, cool, you know, if it's if it's not for you, it's not for you. And so the next day, we just crafted a quick little email where we went on to his LinkedIn where you could find out who is assistant was we go on to the website, and we find out who, what the latest project is they're doing. So we crafted an email that looked like it came from his assistant, and said, Hey, Dave, look at this latest project going on over here. And here's a New York Times article, you know, just a little link to the what looked like a New York Times article, and it was within 30 seconds that he had clicked. Because it's very believable, right? If your assistant sends you something that's relevant to the topic that you're converting your you're normally discussing. And so that's that's very often what what some of the attacks are, but but really, even more broadly, it's somebody just sending out a ton of different say LinkedIn invites that Look like somebody you might have met at a at a trade show or, you know, a PayPal notification, hey, you've just gotten 20 bucks, go click here so that you can you know, you can retrieve it in your account, you know? Okay, I get maybe somebody sent me money I don't I don't really know or you're like, no, that's wrong. I'm going to click on this email and let them know that that's wrong. Well, no matter what the attacker has, has now gotten your information. whether they've loaded something malicious on your computer, or you've logged in to a fake website and given them your username and password. It's way easier than you would ever think. Sadly,

yeah, I mean, really anybody that gives a link and in a message in an email, you know, it could, if they're sending you an HTML email, it may look like they may spell out the link, but if you don't actually see the actual link you're clicking on, and if they use a shortcut link, which is really common Like, you know, if they're using Bitly, or whatever, all bets are off. Yeah, they can send you anywhere. Correct. And so are there any best practices in terms of like, I mean, generally, like, if you were to say, listen, at the very least, never do this, this, this and this and always do this, like what would you say are like your maybe like your three to five biggest pieces of advice? Yeah. Or anybody to keep themselves safe.

Yeah, the perfect question for what we do. You know, we focus initially on education. We want somebody to understand that for starters, the internet's a dangerous place. And unfortunately, that's just that's just a reality that we have to accept. Next is what does that what does that mean for me? And if the internet's a dangerous place, and I am at risk, and I'm at risk at home and at the office, what do I now need to do? Well, when it comes to the ball, of phishing emails, these malicious emails are actually coming through what appear to be social media invites LinkedIn like no LinkedIn notification or a Facebook friend request, you know, event co payment, something that has to do with people in your network. Well, there's never actually a reason to click on those emails we focused in on what's the safe behavior. You know, when you're teaching your son, your kid how to cross the road at an early age, you don't teach him stopping distances between 98 civics and and Tesla's, you actually say, Look both ways only cross the road once it's clearly safe. But what we're doing in a digital sense is we're walking down the dark alleyways. When there is a lit path around the corner, that lit path could be delete that email, go to LinkedIn. com. Then the next is so you have productivity emails, they're really really important when you need to communicate with somebody via Dropbox, let's say, but you need to think did did I just have that conversation? Josh, you and I were talking and then you sent me a link, a Dropbox email that says, hey, you this is these are the files that we had just discussed, great as a very high probability that that is right. In fact, there's such a low probability that that is a malicious email that uncomfortable sat down. Now, if I get an email from you, that is, you know, three weeks out four weeks out, month out, it's not relevant to our particular discussion. And there was no point where you had said, I'm sending you a Dropbox email, you know, that could be odd, because somebody might say, Oh, well, Josh, and Joel, just connected on LinkedIn. I'm going to fire this off to Joel and see if that works. So what we focus on is those safe behaviors. And so the first point is, hey, delete it. If you don't need to open it. If you don't have to click on it, just delete it. And the next is, if there is something that is really relevant to your productivity, go back in contextualize. Is that is that something that Josh was supposed to send me? Yeah, absolutely. And if not, I'm going to fire off an email that I came in, this doesn't I'm not sure that this came from you. And that's, that's critically important. And then I'd say, along those lines, one of the other really, really bad things that have been happening are fraudulent wire transfers. And sort of to a lesser extent, it's been popular, but it's not as much money that's been lost. But a lot of these Apple gift cards that people will get requested the Boston's an email and says, Hey, send $5,000 Well, usually that's not putting a business out. But these these fraudulent wire transfers are, and so the next thing is okay, so it's not a LinkedIn, it's not a social media invite that you don't have to click on. It's not a productivity measure that you need to actually have access to, if it's Dropbox. Well, now what do I do if it's somebody giving me information that's critical for for the next step that I need to take wire transfer. Well, then that last piece is you actually have to physically verify we cannot stay in the digital world. The digital world provides anonymity. The physical world doesn't So you need to breach the bridge that which means if you're a mortgage company, and somebody says, okay, you're going to wire this money to this account, you no matter what you pick up the phone and you call it previously known number, not something that was in that email. Yeah, Josh, you're buying that house, send the wire here. If you need to verify, call me at this number. Well, now I've just protected my closed system of as the enemy. And those are really some of the most critical pieces. It's just a change in behavior. It doesn't have to you don't have to become a Cyber Sleuth to really dramatically improve your safety.

And great. So in terms of INFIMA, then so you have a solution where essentially you're you're just trying to punch holes in the user behavior for that organization. So you're basically essentially testing people kind of quizzing them in in you know, in a real world environment on right Killer basis. So they're getting what friend invites, they're getting links, they're getting suspicious, you know, they're getting emails to everybody within their organization. And then what happens is if they choose, like if they make a bad decision? Well, now you've got evidence, it says, you know, looks like we need to do some more education. Is that essentially it?

Yeah, you're hitting it, you know, when you say, what are we sending them, we're actually sending them the best of what's happening in the wild. So Wow, we're able to find out what these attackers are doing rather than just kind of conjuring up what's the next thing that right?

Now you can crowdsource that.

So why don't we find out what are the best what's the best that's out there? What what are they actually sending it just be the same thing as a coach, preparing his team to go out for battle, you know, to go to go play and they're like, Hey, he's like, I just I jumped up this play. I think they might play it today. Then, you know, that's when somebody pipes up and like coach, the last 10 games, they played the exact same sequence of plays, let's watch their game tape. And so these, these attackers are going to continue using the exact same attack until it doesn't work anymore. So let's let's focus on what is what's working. And so that's what we're sending it. Now, when somebody does click, you know, we are not naming and shaming Look what you did. Josh, you can't believe you, you know, you're so dumb, because there is actually in the data. There is no correlation between a rank within a company salary, gender, age, and an intellect. There is no correlation between whether or not you will click, it's much more atmospheric, contextual and behavior. And so you're really busy one day, you may click on an email, you're not busy one day, you might not click on an email, but same thing. We've had people who will go off for from Memorial Day and they're sitting on a beach and they're just relaxing. They're no longer and inside the office environment. Just knocking out emails and they're like, Ah, you know, we get the email like you got me on this one guys. So you know, so the focus is actually hitting you in various different places in different different emotional states different atmospheres and and to allow you as the user to find out where your vulnerabilities are and then allow the manager to say, hey, look, you got a bunch of vulnerabilities over here, these five people they are not taking, they're not engaging with the training and they're clicking on phishing emails. These are your people you want to focus on right now. And again, we don't want to advocating like you need to just go name and then shame on but but you know, in truth, there are some organizations government and private we have who've been saying if they click on three to five depending on the organization.

That's a fireable offense

because it only takes one it really only takes one security, you know, one bad click and it can do some serious damage. You know, all of a sudden now someone's computers compromised, they have access to secure files, those secure files if in the, you know, those getting the wrong hands, I can spell a lot of trouble for an organization. Yeah, I'm Joel, one thing I wanted to talk about was your company itself. So what what stage are you as a business? And, you know, what is the growth? Ben? To date?

Yeah. So we've been around for two years. You know, as with every startup that I've heard of, you know, we've got, you know, we had some pivots early on, as we were learning where the market was for, for our product, we really love focusing on the human element in cyber security. So, you know, we're, our growth rate is in the, you know, triple digit percentage at this point, year over year. And we we are actively expanding now adding talent to the team. And, you know, fortunately we've been we've we've really had great opportunities to expand our geographic footprint outside of the Central Florida area where we're based, it was a great start. And we continue to, to serve our companies and government organizations here. But now we've even you know, we've really hit, you know, all corners of the country at this point. And so the exciting part now is getting to bring on the team to really help us support and expand that.

Yeah, no kidding. So like, currently, like, what do you do for a client? Like how do you get new customers? How do people find out about you? And how do you begin those, those sales conversations?

So this is definitely not my or my co founders core expertise. We're both very analytical. So we've been learning you know, and and marketing is not the way that we're wired. So we're consistently having to learn how to do it. In truth, almost exclusively, things have been coming from LinkedIn. And then to a lot of lesser extent, some of the speaking engagements that we've that we've had, which I got those, those can be great to be dialed up.

That's amazing. So

listen, I mean, I could I would have met. Can you tell me a little bit about the market for this? I mean, is there I mean, there are other solution providers out there. How does INFIMA? How are you guys? unique it What's your USP compared to other providers?

Yeah, you know, we've we've had to spend a lot of time making sure that we're intellectually honest with ourselves that we do really have that. And, and what's become extremely clear from client feedback is that we've created a technology that's extraordinarily easy to use that is not painful for setup. And the next is that it actually is intuitive where somebody is learning and a lot of that comes from the research that we do with University of Florida. We've got a combined effort with the psychology department and the cyber security department, where everything that we're doing from the way the word the emails are crafted, all the way to The ways in which we do training and the reminders and everything throughout has been taken with a very deliberate focus on what are the behavioral elements that we can exploit, to teach people to improve their security. And we, as humans, we learn in funny ways. And, you know, we've we usually need to be encouraged rather than yelled at and in ways in which we learn. And so, you know, there are a lot of great providers out there. You know, what we love is that we actually have this measurable behavioral influence on on the change to improve security.

Well, Joe KLUR, the co founder and CEO of INFIMA, cyber security guys are on the web at INFIMA sec dot com that's infimasec.com. Solving security people problem is what you do. And so thank you so much for joining Us, 18:00 Josh, thank you. Appreciate your time. 18:06 Thanks for listening to the thoughtful entrepreneur show. If you are a thoughtful business owner or professional who would like to be on this daily program, please visit up my influence.com slash guest that we've got something out of this interview. Would you share this episode on social media? Just do a quick screenshot with your phone and text it to a friend or posted on the socials. A few do that tag us with the hashtag up my influence. Each month we scour Twitter, LinkedIn, Facebook and Instagram. We pick one winner from each platform and you get crowned king or queen of that social media now what do you win? We're going to promote you and your business to over 120,000 social media fans. Totally free Free. Now, can you also hook us up now in your podcast player right now, please give us a thumbs up or a rating and review. We promise to read it all and take action. We believe that every person has a message that can positively impact the world. Your feedback helps us fulfill that mission. While you're at it, hit that subscribe button. You know why? Tomorrow? That's right, seven days a week, you are going to be inspired and motivated to succeed 15 minutes a day. My name is Josh Elledge. Let's connect on the socials. You'll find all the stuff we're doing at up my influence.com Thanks for listening and thank you for being a part of the thoughtful entrepreneur movement.

We're actively booking guests for our DAILY #podcast: The Thoughtful #Entrepreneur. Happy to share your story with our 120K+ audience.Smiling face with halohttps://upmyinfluence.com/guest/


Apple iTunes podcast