Christian Anschuetz, CIO & Security Practitioner, UL
Despite Firms' Best Efforts, Security Vulnerabilities Are Increasing
From the infamous Sony hack and other high-profile data breaches to Heart bleed, Shell shock and the new wave of mass mobile threats, 2014 was an historic (if woeful) year for cyber security. As a result, the topic of security is now center stage and firms are dramatically increasing their IT budgets to ward off often nameless, faceless attackers. Nevertheless, firms will continue to be vulnerable if they over-invest in technology while failing to engage their workforce as part of their overarching security solution.
“Cyber evil-doers, like combatants on the battlefield, attack asymmetrically, avoiding hardened security surfaces and taking advantage of human weaknesses”
Over-Reliance on High-Tech Protections Undermines Security
Firms are turning to modern technologies to protect themselves from becoming the next security breach headline. State-of-the-art firewalls protect network perimeters and secure remote access. Hardened applications, running on secure and patched operating systems, are increasingly defensible. Intrusion detection systems stand poised to alert firms when its protections have been compromised. While these are important tools to help counter cyber threats, history and data both show that the bad actors are adept at going around technological barriers and going right after users.
According to PWC, employees and corporate partners are responsible for 60 percent of data breaches. Verizon's research suggests the number is even higher, at almost 80 percent. These surprisingly high figures reflect in part a prevalent and dangerous myth, namely, that cyber losses are the result of attacks by technological geniuses who excel in dismantling sophisticated firewalls and circumventing other security measures.
The reality is that, while external attackers can be highly intelligent, they typically gain access to critical information and systems by subverting well-intentioned humans. Phishing emails, links and attachments that look legitimate and even social engineering are the primary initial avenues past an organization’s defenses. Cyber evil-doers, like combatants on the battlefield, attack asymmetrically, avoiding hardened security surfaces and taking advantage of human weaknesses.
Security Policies Often Weaken Defense
What’s more, firms are often their own worst enemy. They chronically ignore the human element of security, often relegating efforts to engage employees to the technology-focused, and stereotypically introverted staff members of IT and information security. Instead of elevating the topic of security as an organization-wide endeavor, firms put the unfair burden of protecting their company’s intellectual property on the shoulders of a group who is ill-equipped to grasp the totality of the threat. Technological defense, although important, is only one side of the coin. Putting the responsibility of understanding and mitigating the human threat goes well beyond IT.
Left in the wrong hands, cyber security manifests itself in burdensome and ineffective policy. Take typical password policies, for example. Setting a password policy to lockout after three tries is frustrating for users— and it almost never adds any incremental improvement in security. Making users change their password every 90 days is also folly, as it too fails to measurably improve security. These policies effectively lower a firm's security posture as users resort to writing down their passwords or finding other deleterious workarounds.
And because many security departments are more worried about control than productivity, they don’t consider the unintended consequences of their policies. Disable USB ports? Good move, except now users move often sensitive documents via Google Drive. Disable print drivers? That also seems wise, except now users email documents to unsecured web-connected printers. Forced to choose between disruptive and apparently irrational security directives or getting their job done, workers will find a way to be productive.
Creating Security Habits Strengthens Defense
The key to improving overall security is to elevate the topic to an organization wide initiative, and to balance investment between technology and the education and engagement of the workforce. Pursuit of the imaginary “silver bullet” firewall is daunting in itself, so it’s no wonder firms cannot face the prospect of fundamentally changing peoples' behaviors. And given the relative ineffectiveness of the traditional security awareness programs, it’s understandable why firms have largely ignored the human element.
Understandable, yes, but a grievous mistake. Logically, if insiders are the source of the majority of the breaches, then developing a security acumen among the workforce stands to dramatically reduce an organization’s vulnerability.
Some technologically well-protected firms, like Dow Chemical Co., engage their work force through advanced security awareness programs that focus on targeted education. The most secure of these firms are creating “security habits.” By clearly defining desired behaviors, the firms help workers understand what they need to do, and why. By involving the workers in designing the security policies, the firms generate buy-in and support. Organizations that create the triggers, motivation, and even rewards—for example, recognition for forwarding, but not opening, a suspicious email—establish a secure operating model. If the organization’s leaders encourage employees and also visibly practice the desired behaviors themselves, then security can become a way of life in the workplace.
To Strengthen Security, Start with the “Weakest Link”
In The Art of War, Sun Tzu taught that attackers should "avoid what is strong and…strike at what is weak." This lesson has been well learned by today's cyber attackers, who are ruthlessly efficient in converting employees and corporate partners into unwitting allies. Good, smart workers are conscripted by attackers after being lured into opening an email attachment or following a dangerous link. If we change this paradigm and make our workforce an accountable part of the security solution, we will dramatically improve the defensibility of our firms.