A computer is built on ones and zeroes, but it’s opererated by people.

It’s an important aspect of cyber security that can’t be forgotten. For all the digital tools and solutions involved in a data breach, there’s still an underlying element involved that no antivirus program or intrusion prevention system (IPS) can protect against: Human error.

As the threat landscape continues to evolve, become more complex and difficult to read, companies will naturally place more emphasis and resources on the technology that’s put in place to stop attackers. But businesses shouldn’t lose sight of the fact that they need to shore up the one vulnerability that can’t be digitally patched.

There’s no software update on the way for employees

Roughly one in every four data breaches can be attributed to human error, according to the Ponemon Institute. It could be the result of someone accidentally downloading a virus, or an employee being careless with his or her password, but the result is still the same: Hackers were able to get into a network without much resistance.

The primary tactic that’s being used to exploit this flaw is called social engineering, and it’s easy to see why criminals prefer it. Businesses invest heavily in comprehensive technical solutions built to cover a growing array of digital endpoints – but rarely physical vectors.

The revelation contributed to phishing being the third most common action that led to a data breach in 2018, ahead of ransomware and other forms of hacking that continually garner international headlines, according to the Verizon 2018 Data Breach Investigations Report. Pretexting, a technique that targets financial and human resources departments with persuasive emails to extract information or funds, saw a rise in frequency from 61 reported incidents in 2016, to 170 in 2017.

Employees are often seen as the weakest link because many organisations’ cyber security policies focus squarely on compliance, not training. The difference between the two lies in how effective the education is that the workforce receives: Is it a once-per-year seminar to tick a box, or on-going sessions that keep people up to speed with the latest threats?

The former doesn’t prepare staff for the advanced – and sometimes even blatant – techniques that malicious threat actors will use to gain access to high-value assets. People naturally think the best of others and would, for example, instinctively hold open the door for a person a few steps behind them that’s heading into work at the same time as everyone else. But that slight opening is all a hacker needs to gain access to the network.

Assess your physical vulnerabilities and improve training

Penetration testing has long been an essential component of any effective cyber security strategy. It’s a proactive approach to identifying and investigating flaws before a malicious threat actor has a chance to.

Over time, businesses build a groupthink mindset within their culture. It’s not a sign that the company is failing in any way – it’s a natural progression within nearly every organisation. But it is a liability for information security. The reason being is that the workforce begins to focus on certain aspects of cyber security, while completely ignoring others.

Social engineering is designed to exploit the overlooked aspects of cyber security, which is why Red Team simulations are an excellent on-going exercise to deploy. They’re a methodology of penetration testing which exposes the physical vulnerabilities that lead to digital access. With a no-rules mindset and being completely unannounced, they help businesses better understand how employees would respond to a real hacking attempt.

This type of information is invaluable when gathered regularly, as it fuels highly effective training. Every department in a company has different roles, responsibilities and most importantly, privileges. The intelligence collected on which security mechanisms are set in stone, but rarely followed, should fuel the education of those individuals.

Generalised training provides a foundation of expertise for dealing with common threats, but catered, on-going guidance gives people the specialised knowledge they need to identify risks pertinent to their day-to-day routines. Approaches taken to target the financial department are different from those someone would use to extract information from human resources.

There’s two different perimeters – digital and physical – that companies must account for in their cyber security strategy. Unfortunately, many organisations don’t give the latter the attention it requires to be effective. Penetration testing can help companies identify where physical vulnerabilities lie and develop training measures to patch that part of the system.