News

The human factor in cybersecurity

The ‘human factor’ has been recognized as the weakest link in creating safe and secure digital environments – but human intuition may also be the solution to thwarting many cyber threats. Every software or security monitoring system requires human interpretation of alerts. And our brains have the unique ability to process multiple inputs and “hunches” that may indicate something is wrong.

We tend to look to technology to bulk up our security stance when a better approach may be to dig deeper into human nature – and those norms, habits and quirks we all have – and develop a security mindset that uses what we’re best at: complex reasoning.

Yes, you have to have top tech

Often organizations that find themselves feeling vulnerable haven’t taken full advantage of the tools that are readily available to them. They’ve made an initial effort to protect systems and data but then choose not to update the server or push out the critical Windows update. We’ve all seen organizations that don’t even have a current backup. 

We hear: IT is understaffed. It slows the system. Today was super busy. I had to jump on a call right away and forgot. 

I do understand it, but I don’t accept it. There’s no reason. There’s no ambiguity about it. It’s either protecting you the way it was designed to, or it’s not. Use the technology you have correctly. 

Complex is the enemy of compliance

People are creatures of habit who seek out shortcuts and efficiencies. If I write a 5-step process for logging in to my most secure system, at least one person will email me explaining how they found a shortcut. And there will be many who complain about having to wait 4 seconds as their login is verified. I know this, and so I push back on my team when they establish new protocols. Can we make this easier? Can we use a tool – like multi-factor authentication or PIV cards? Can we eliminate irritating parts of cybersecurity? Yes, the solutions might cost more, but the benefit is compliance. I never want to create a system that has my people jotting weekly passwords on post-it notes. So, I ask my security team to think like a busy employee, a hurried exec, and a distracted engineer – and remove complexity from our routines.

Trade some efficiency for better security

Cybersecurity measures take time to work, but human brains process faster. We might accept that implementing an excellent cyber program and maintaining cyber hygiene —like basic email scanning or link scanning—adds a layer of inefficiency; however, this is often a difficult concept for employees. Smartphones, productivity apps and fast connection speeds have set the expectation for instant access. Overcoming this takes patience, education and a cultural value on slowing down to be more mindful about security.

Root out threats from the inside

As long as we have people in our organizations, we need to think about insider threats. People’s messy human lives show up for work. They have financial difficulties. They have stressors. They’ve got a problem with drugs, alcohol, gambling—but also idealism, politics and power. 

There are two solutions here. The first uses technology for privileging and compartmentalizing. Simply put, every system accessed should be “need to know.” Establishing this policy early and applying it strictly saves ambiguity and removes temptation. Compartmentalize access for everyone – so any one individual can only access so much – leaders included —and set up auto-monitoring.

The second solution is all on leadership and using human intuition. You may need to adjust this process depending on the size of the organization. But the gist is that once a month, the head of HR, head of IT, head of operations and CEO get together for a security review of employees. Operations might say, “Ed’s been showing up for work late, and he’s kind of been off.” And then HR can chime in and explain that his marital status went from married to single. If IT says, “Well, it looks like we just gave him temporary access to three systems last week,” it may warrant talking to Ed. Maybe he just has to drop his kids off at camp and starting a new project, and all is well. Or perhaps he’s struggling with larger issues and needs support. Individually, you might not put those pieces together, but human reasoning can look at the situation from an enterprise perspective and see warning signs.

Continuous education, continuous testing

Bad actors know human nature, and they take advantage of that. They target the vulnerable –those with access, those with power, those who think they aren’t worth the effort. Increasingly, we see sophisticated techniques– like using social media to develop something that will interest their target or get them to drop their defenses. The bad actors are evolving, and so your security training program has to evolve. Continually update about new threats. Reminding people that they could be targeted. Drive home the point to trust nothing. 

Testing is a part of education, too. Go ahead and send the fake emails, conduct hacking exercises, play war games that simulate an attack or ransom situation. Even employees who know they could be tested slip up – and these are teachable moments to slow down, trust their gut and verify.

Overcome human nature with a lock the door mentality

In my community, we’ve had a huge problem with cars being broken into at night. The would-be robbers come through, and they test every car parked in a driveway or on the street. If the door is locked, they move on. If it’s unlocked, they grab whatever is easy – spare change left in the console, sunglasses left on the seat, a laptop left in the trunk. The solution is pretty simple—lock your car doors to reduce your chance of something getting stolen. 

It’s the same with cyber – most threats are looking for an easy opportunity to grab what they can. You’ll go far with a fundamental “lock your doors” mindset – essentially implementing cybersecurity controls consistently. 

There’s more to this mindset – and it has to do with the human nature of bad actors. Let’s say that your car doors are locked, but your phone is on the dashboard, or there’s a $10,000 bank deposit on the seat. The robbers are going to try harder to break in. They might be willing to take huge risks for such a lucrative payoff. If you don’t have anything accessible in your locked car, you’re doubly protected—no opportunity and no motivation. 

That is how we’ll win the game with cybersecurity, too. So, layer defense. Implement firewalls, intrusion detection, internet filtering, DNS proxy, and antivirus software. Move data to secure backups. Use encryption. Use multi-factor authentication. Overcome human nature with a security mindset that uses what humans are best at: complex reasoning. Remember to trust your human nature – the intuition that you need to double-check “locking the doors” or other security steps.

 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

Back to top button