Schmidt, founder and CEO of JAS Global Advisors, has consistently shown results architecting and delivering products and services. In this blog, he discusses how IT solution providers can help their clients batten down the hatches and prevent cyberattacks.—Jennifer Bosavage
In today’s information security environment, there can be little doubt that the human element is the weakest link in cybersecurity. Recent high-profile security compromises, including the RSA breach, started with targeted phishing – underscoring the vulnerability of human interactions in the cybersecurity chain.
From both a management and IT perspective, technology is widely seen as the foundation and solution for sophisticated security threat protection. Equipped with the latest authentication, encryption and threat monitoring technologies, executives have a misguided sense of invincibility, especially when the potential for human error, trickery and malicious intent are factored into the equation.
Viral USB Sticks
In June 2011, Bloomberg published the results of a test conducted by the U.S. Department of Homeland Security. To assess the government’s vulnerability to unauthorized system access, DHS dropped disks and USB drives in the parking lots of government agencies and private contractors.
An astonishing 60 percent of workers who found devices plugged them into their office computers. When the device was imprinted with an official logo, the number of installations on office machines skyrocketed to 90 percent.
The first step in addressing the human element in cybersecurity is a willingness to identify and acknowledge the problem.
Low-impact hackers are only the tip of the iceberg. Cyber warfare, cyber espionage and the exfiltration of proprietary or protected data are rampant and must be first-tier priorities in the development of information security systems and protocols. Yet even organizations and agencies with the premium value security targets can be easily penetrated through the exploitation of inappropriate human behaviors.
Further layers of concern are being raised around the emergence of new technologies in mobile, social networking, cloud computing and other web-based categories. Yet the most frightening scenario may still be one in which a disgruntled worker walks out the front door with trove of data on a portable storage device.
I’m the Problem
One of the most frustrating realities is that a general awareness of the threats posed by the human element does not typically lead to behavioral and/or organizational change. Although workers and high-level influencers indicate that knowledge is an important factor in the way they approach information security, it isn’t the only consideration.
In many cases, large corporations prioritize compliance over security, pinning their hopes on the notion that regulatory conformity will ensure the integrity of their infrastructure and security protocols.
While compliance isn’t an issue for many small- and midsize businesses, cost concerns tend to override security issues. If a cybersecurity behavior impedes workflow, requires additional investment or is otherwise perceived to be unacceptable, it’s unlikely to gain traction in the small business community, especially since security is only seen as a vague threat of possible pain.
But ultimately, the most significant security hurdle is users themselves – organizational stakeholders who have access to sensitive data and information. Even when they possess an awareness of the types of security threats directed at their organization, users (at all levels) often don’t see themselves as responsible participants in the security process, but as beneficiaries of the organization’s vast security infrastructure.
Rather than engaging in proactive security behaviors, users mistakenly trust that IT departments and organizational leaders departments have implemented foolproof measures to prevent data theft or security intrusions, sometimes ignoring common sense practices that are effective in preventing major breaches.
Organizational leaders and policy makers face the daunting task of devising measured responses to the human element in cybersecurity. Ignoring sloppy practices or relying on technological assets invites security penetrations from the growing ranks of hackers who target human behaviors.
1. Procedural Audits
Comprehensive security policies, procedures and protocols form the baseline for a leadership response to the human element in cybersecurity. Periodic reviews and audits are essential for highlighting organizational weaknesses and keeping sound information security behaviors top-of-mind in the organization.
2. Granular Training
Random or high-level training is less productive than frequent, granular training opportunities and exercises that have been designed to address specific behaviors and practices. Senior leadership and supervisors should be required to attend training events to demonstrate the importance of responsible security behaviors and to better protect themselves from cyber attacks.
3. Cost-Benefit Analyses
Robust cybersecurity programs leverage a combination of human and technological elements. In addition to the cost of technological infrastructure, organizations must be willing to pay the price of improvements to human-based security, i.e. privacy and openness. Although improvements in the integrity of security protocols require greater transparency and a willingness to embrace new attitudes toward information, the benefits can be substantial. In the Wikileaks example, a forced prohibition against the use of external storage on secure systems and closer worker supervision should have helped prevent a massive leak of classified information.
4. Behavioral Research
On an industry level, more research is needed to identify the behaviors and motivations of employees at various levels of information security. By better understanding how technology users view and respond to security threats, organizations can better implement countermeasures and establish human element protocols. Additionally, there is a need for further study in the area of human-machine interactions. We need to understand how machines can better indicate potential threats to humans, producing cues that are presently absent in the machine-human interface.
5. Know your people
Most cyber-crime is just social engineering. Criminals invest time and energy getting to know key organizational stakeholders. In a similar manner, senior leaders need to familiarize themselves with their people, nurturing an awareness of user-specific access rights and internal contacts capable of delivering access to sensitive information.
Since security threats are constantly evolving, leadership responses to human security vulnerabilities must likewise exist in a context of constant evolution. Resistance to change, closer individual scrutiny and human curiosity are inherent obstacles to rolling cybersecurity improvements – but they are obstacles that must be overcome to ensure the ongoing integrity of the organization’s security strategy.