Surviving human error

Hackers like The Wolf get what they want through spotting and exploiting weakness, and it's never just the technical vulnerabilities that count. Human errors, failures and omissions all play their part, whether that's a PC left unlocked in a quiet office, sensitive documents abandoned in the printer tray or someone clicking on a malware-infected voucher in a suspect email, opening the whole network up to attack.

Let's face it; not all employees are equal when it comes to security. Policies can be ignored, advice disregarded and the same simple password used for corporate and personal online services alike. And that's without the ones who write their usernames and passwords in a notebook then leave it on their desk, or the ones that pick up a USB key in the car park and insert it instantly in their PC to see what happens. A recent experiment by US university researchers found that when 300 thumb drives were dropped around six campus locations, over 45 percent of them were plugged into a computer by the person that found them. Not everyone understands the risks.

This is a serious concern for enterprises. The Ponemon Institute's 2016 Cost of Data Breach Study found that of 874 security incidents covered, 568 were caused by employee or contractor negligence and a further 191 by malicious employees and criminals. According to figures from Action Fraud in the UK, insider threats are on the rise here as well, with 1,440 cases in the 2015-2016 period.

It's not just people that make errors, but corporations too. The company in The Hunt Continues suffers a more serious breach because only one person is authorised to shut down the systems and protect them from attack. With him out of the picture the wolf is free to continue his work, the organisation is left panicking and any chance to counter is lost.

A more robust defence

Eliminating employee error and threats involving malicious employees or ex-employees is a challenge. Establishing clear policies and guidelines will help, as will appropriate training on cyber-security, safer working practices and the potential impact of a breach. Companies should also take every opportunity to rethink and redefine their policies and practices around IT and data, not least because next year sees the introduction of the EU's General Data Protection Regulation (GDPR), which brings in new regulations and responsibilities for businesses, plus stiffer penalties in the event of non-compliance and a data breach. These could reach up to 20 million or 4% of annual turnover.

But technology can play its part here too, creating a second line of defence that can mean that, when security policies are ignored or safe working practices not followed, hackers can't keep a foot in the door. By innovating in PC, printer and device security, HP is providing enterprises with products that resist the work of hackers, or that support the kind of security policies that keep systems and data safe. How? Just take a quick look at some common security lapses to get an idea.

The Problem: A PC left unattended in an office within reach of the public or unauthorised personnel.The Solution: Fingerprint or facial authentication through Windows Hello ensure that only authorised users can access the PC and its contents. HP Client Security Suite Gen3 provides multi-factor authentication and robust password management. HP WorkWise combines desktop software and a smartphone app to automatically lock the PC while the user is away and unlock it when they return. What's more, attempts to authenticate or tamper with the PC result in alerts to the user through their smartphone.

The Problem: An employee finds an abandoned USB drive in the car park and decides to plug it in. The drive contains malware that attacks their PC's firmware. The Solution: The malware might get past anti-virus defences and corrupt the BIOS, but if it does HP Run-time intrusion detection and SureStart technology should stop it in its tracks. Rum-time intrusion detection checks the PC's memory for signs of intrusion and reboots automatically to prevent malware from executing. SureStart monitors the BIOS and, on spotting the attack, restores the BIOS to a last-known good version, along with all configuration settings. The PC rapidly recovers from the attack.

The Problem: An employee receives a phishing email with a link to see some photos. The link takes them to a website where a script installs ransomware to encrypt the files on their PC. The Solution: Clicking on the link and opening the site triggers HP SureClick, creating a hardware-isolated browser session from which the malware cannot do its job. Stopped from infecting other browser tabs or the system itself, it rebounds harmlessly off the PC.

The Problem: An employee views and edits sensitive, forward-looking documents while working on the train, oblivious to a fellow passenger shoulder surfing' from the side and taking notes. The Solution: HP SureView gives users an electronic privacy screen, preventing anyone not directly in front of the screen from snooping at the tap of a function-key combo. They can carry on working, just as before, but the screen's no longer visible to nosy parkers or potential cyber-criminals.

The problem: An employee receives an email with a document attached containing printable vouchers. The document actually contains printer malware, replacing the firmware with a hacked version that gives a hacker access to the corporate network. The Solution: HP BIOS whitelisting ensures that only known good, firmware can be executed. When the new firmware can't be validated the device reboots. HP SureStart also protects the BIOS from tampering, restoring the BIOS to a previous golden' version so the printer can recover.

The Problem: An employee leaves sensitive documents in the printer, where they can be picked up by a colleague and shared with a hostile actor. The Solution: Pull-printing services ensure that print jobs only get printed once authorised by the user at the printer. Without a PIN code or the presence of a token or a connected smartphone, the document is held on the print server.

A new perspective

Corporate processes and policies aren't always so easy. How can enterprises be sure that they have the right security strategy in place, that robust measures aren't potential weaknesses, and that security and privacy are built into their systems, in line with new compliance regulations?

The process of preparing for GDPR or pursuing relevant information security accreditations, like ISO 270001, can help, as will following the UK National Cyber Security Centre's 10 Steps guidelines. Yet for many medium-sized and larger enterprises, it's essential to get a second, objective point of view. HP's Enterprise Security Services can provide that, with a risk-based approach to IT security that looks at how security strategy aligns to business objectives, how new strategies and technologies can protect the enterprise and close the gap between the two, and how companies can change their infrastructure to become more agile and responsive when tackling an issue or breach.

It's impossible to eliminate every weakness involving human factors, but with the right technology and strategy businesses can reduce the potential impact and minimise their risks.

Find out how to protect your workforce from the Wolf.


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.