Cyberspace. We live in it, we work in it, we transact in it, we exist in it. We spend enormous amounts of money on it, to make it better, to improve our lives and our work. While we strive to make it better, it remains one of the most unsafe places. It is rife with threats. Threats that we can’t see, that we can’t touch. Threats that are caused by adversaries thousands of kilometres away. At the click of a mouse or a stroke on a keyboard these adversaries can assume our identities, steal our information, our identities and our money.
Cyber security professionals are fighting a never-ending battle. Cyber criminals seem to always be one step ahead. Statistics show that security spending has been growing around 15% year on year since 2014, as cyber security became more of a priority for many organisations. So why are we not winning this battle? The answer may be simpler than you think.
As security professionals, we tend to think that the answer lies primarily in technology. This is where the problem starts. Traditionally, Information Technology (IT), and IT Security, is technology centric. We develop and implement frameworks, standards and architectures that primarily centre around technology. We understand the risks and threats that the technology faces, we tend not to think about the business as a whole. Furthermore, IT security is seen as being IT’s job, so what happens? IT does what they know best: they protect the technology. In essence this is not wrong as our information normally resides on technology platforms. But we forget the user, the human behind the technology. Statistics indicate that around 80% of security breaches are aided by humans, either knowingly or unknowingly. Tactics such as social engineering and phishing is by far the most widely used and is also the most successful. They exploit human vulnerabilities and not technology vulnerabilities. Our response to this problem is to throw some more technology at the problem. We spend significant amount of money on technology to fight cyber-crime, but we don’t see a decrease in cyber-crime figures. This means that there is still a problem somewhere. Is it the technology, or maybe it is how the technology was implemented? The problem, in most cases, is not with the technology, it is in the way that we approach cyber security.
To effectively protect against cyber-crime, our approach to cyber security must evolve. The conversation must change from the notion of protecting technology to a notion of protecting the organisation as a whole, which includes its technology, people and processes. To assume that you are protected simply because your technology is protected is a false reality. Technology is not the solution; it is only part of the solution.
Humans must become part of our defence strategy, in fact, humans are critical to our defence strategy! Technology has not yet evolved to the level where it can actively monitor human behaviour. Sure, human actions on technology systems can be monitored and analysed, but the reality is that technology can only monitor other technology systems. If you have paper based or manual processes in your organisation that can be targeted by cyber criminals (e.g. invoice processing and payment), then technology cannot be your first line of defence. In this instance, humans have to be your first line of defence, they must become your organisation’s firewall. This is becoming more critical as we have seen a significant rise in supply chain compromise, where adversaries are interfering with supply chain processes to get falsified invoices paid to fake beneficiaries.
Building human firewalls is not a simple task; there are no firmware updates, or security patches that can be applied to humans. It requires the organisational culture to change. You must create culture where all your users, from the cleaning staff to the CEO and the Board, shares and owns the responsibility for IT security. You must create a culture where IT security becomes a practice that is embedded across the organisation, in all the technology systems and in all the business processes and practices, whether digital or manual. Creating this culture is a journey, one that never ends. It requires continuous awareness and education, strategy, vision, innovation, leadership, commitment, a passionate IT Security team, buy-inform the organisation, and most importantly, it must make your users feel empowered. The key component in building this culture is understanding the weaknesses in the organisational defences. Conducting practical exercises using penetration testing and social engineering tactics that simulate actual and plausible cyber-attacks will highlight the real gaps in your defences.
So why are we not winning the battle against cybercrime? The answer is simple. We are focussing our efforts on technology while spending little or not enough effort on building human defences. We know that humans are the weakest link, we know that 80% of breaches exploit the human factor, and yet we don’t spend 80% of our efforts on the humans?
Think of an analogy with a Formula 1 race: Imagine technology is the car, your users the driver, and your IT and Security teams the pit crew. At the end of the day, the race is won with a reliable and well setup car, a competent and practiced driver, and a good pit crew. A car can only do so much, it is the driver that decides when to turn, when to accelerate and when to brake, it is the pit crew that maintains the car and keeps the driver informed of their and the car’s performance.
How good are your human drivers? Does your pit crew give your drivers enough support? Or are you relying too much on your car to win the race?