Against the cyber-threat, Human factor matters

In recent years, there has been a global and ongoing trend towards the strengthening of the States and companies’ cyber-defense capabilities. The cyber-threat has become so damaging that it’s at the very top of the global threats listed in the 2015 Worldwide Threat Assessment of the US Intelligence Community. “Attacks (…) are increasing in frequency, scale, sophistication and severity of impact,” Director of National Intelligence (DNI) James R. Clapper explained. Beyond the usual typology of ideologically motivated, state-sponsored or profit-motivated cyber-attacks, the latest developments uncovered a progressive decorrelation of the attack’s type from the target. Consequently, businesses have become the victims of state-sponsored cyber-attacks even though these attacks were mainly motivated by political considerations.

The “successful” and “highly disruptive” attacks against the Las Vegas Sands Casino Corporation and Sony allegedly carried out by Iran and North Korea (DPRK) respectively have been the two most prominent examples of such trend in the year 2014. The massive attack against the French TV5 network days ago has rung like a wake-up call for everybody, particularly companies’ tech employees who know too well that their lack of cyber-defense budget and human resources cannot compete with the greater means of the cyber-attackers. “If TV5, a state company, can be put out of service, what can we, small and medium-sized enterprises (SMEs), really do?” one told Cyceon. Actually, the technical aspects of how to counter the cyber-threat is only part of the solution, since most often the cyber-attack has been made possible because of human mistakes.

In the case of TV5, some employees unwillingly helped the cyber-attack to happen by opening e-mails or clicking on links they should have never neither opened nor clicked. It means the human factor remains central to establishing any sound cyber-defense policy, be it within the governments or businesses. For instance, France’s national agency for the security of information systems (ANSSI) has published in March 2015 a toolkit for the training of “cybersecurity referent persons” within very small-sized enterprises and SMEs in an effort to help training centers to provide these companies with adequate cyber-security teaching for their personnel. “A cybersecurity software is insufficient. Cybersecurity participates in a global process of daily business (corporate) security,” the toolkit stressed. Once again, knowledge and its implementation by humans both are the solution and the vulnerability, cyber-security included.