On one level, cybersecurity is all about electronics – securing machines, networks and so forth. But, even the most technologically advanced cyber attacks are driven by human motivation.
Humans motivate cyberattacks, and humans also, often unknowingly, facilitate cyberattacks. People are essential to mounting a defence as well – as much as automated tools are a powerful barrier.
It’s no surprise, then, that the theme for the 2020 RSA Conference is set to be The Human Element. Leading up to the conference next week, we thought it worth reviewing five human elements that impact the way CSOs handle enterprise cybersecurity.
It may be the age of AI, but humans are still at the core of cybersecurity.
1. Human Perpetrators
CSOs must continuously assess where their technology estate is vulnerable. Part of a comprehensive assessment involves searching for motivation – theft, political expression, foreign interference, etc. The common thread, of course, is human needs and wants.
Why would individuals, or indeed groups of people, want to compromise your enterprise systems? Do they intend to gain financially, or do they intend to influence? Automated vulnerability assessment is crucial, but merely scanning a network only goes so far.
Understanding the possible motivations behind attacks will give much broader insight into attack vectors and the vulnerabilities they depend on.
In contrast, not paying enough attention to the human motivation behind cyberattacks can put companies at risk: motivations and methods of attack can reach beyond the expected, and a company’s unique line of service, clientele or other stakeholders can point to cyber risks.
A key part of the CSO’s task is, therefore, to understand the possible range of motivations behind attacks – and this requires getting to grips with human nature.
2. IT Management Weaknesses
Weaknesses can start at the top. Even the best cybersecurity tools will fail in their goals if planned, implemented and managed poorly. Human actors initiate, manage and monitor cybersecurity programs and only the right – human – approach will result in comprehensive cybersecurity.
It is a cultural issue too, as management teams must instill a sense of good practice and a security-first approach in employees, from cybersecurity staff right through to people who contribute to the everyday activities of a company.
In fact, an argument can be made that in today’s threat environment cybersecurity is no longer the domain of IT leaders alone. Everyone at the board and C-level must engage, tackling cybersecurity not so much as an IT issue but indeed a business issue.
Only by actively managing cybersecurity from the very top can organisations stay safe from cybersecurity risks, and this requires a deft human touch.
3. Human Fallibility
Human error is behind a surprisingly high proportion of cybersecurity breaches. Data from the Notifiable Data Breaches Scheme in Australia suggests that 67% of reported breaches were the result of human error, including compromised credentials.
Consider, for example, the increasingly powerful social engineering methods hackers use to bypass otherwise potent cybersecurity measures. Few users will still be fooled by a badly worded password reset email, but end users find it difficult to watch out for sophisticated, long-winded attacks that depend on extensive groundwork and clever methods of deception.
The repercussions are serious: an FBI estimate found that business email compromise cost US companies $12.5B between 2013 and 2018. Another factor to consider is the increasing reliance on biometrics, and how easily biometrics can be compromised.
Sheer human error is, of course, another factor CSOs have to contend with – whether its errors made by cybersecurity staff or indeed an end-user that accidentally exposes company data. Particularly where budgets are tight, and roles are shared – or indeed outsourced – the risk of human error accelerates.
Identifying and responding to these human points of failure is at the core of cybersecurity. CSOs can mitigate the risks with internal controls and prevention measures.
4. Mobility and BYOD
The where and when of IT can also pose unique cybersecurity risks – and here the human factor of device mobility and BYOD is a real wildcard.
Where, and under what circumstances will end-users access corporate data? Which devices will they use, and what threat do these devices pose?
From a mobility perspective, public and indeed fake Wi-Fi remains a big concern – but so do other risks posed by the location of a device: theft, for example, or unauthorised access when a user steps away from their personal device. Mobility has the net effect of establishing a corporate endpoint in a random location, and on a random network.
Bring your own device (BYOD) brings a different set of risks – which other apps will be installed on a device, and what risks do these apps pose? It’s an unknown and CSOs will find it difficult to lock personal devices down quite as much as they’d like to. Instead, CSOs must try to anticipate BYOD behavior as best they can.
The unpredictability of human behavior makes predicting mobility and BYOD risks tough and CSOs cannot afford to ignore the unique risks of personal devices – and unknown locations.
5. Rapidly Moving Technology
Finally, it is worth pointing out that technology is moving at a pace never seen before in the past. In a hyperconnected age, threats are emerging more quickly than ever before. Some of these threats can be guarded against through automation – AI-enabled cybersecurity tools that can halt brand new threats in their tracks.
However, in many cases, human cybersecurity experts remain the first responders. Expert security staff must analyze and respond to new threats, coming up with methods to defend organisational assets against even the most creative cybercrime efforts. Doing so is not easy, however, as humans grapple with the velocity of technology change.
It’s an incredible challenge that CSOs will continue to grapple with, and it may mean that in some cases technology adoption is held back until the security risks can be thoroughly evaluated, though that won’t guard against hackers empowered by new tech such as the ability to crack previously secure encryption algorithms.
CSOs must be aware that what they perceive as a stable state of cybersecurity can rapidly change.
So, how do CSOs account for the human factor of cybersecurity?
In the last section we hinted at one option – intelligent automation of cybersecurity using security tools that use cutting edge tech against rouge actors. In some ways the machine vs. machine approach can deliver excellent results, a blanket of protection.
That said, automation will only ensure so much in terms of effective cybersecurity. CSOs need to be cognizant of how humans behave in the technology world – both as rogue actors and as end users. Furthermore, CSOs need to watch what skills they recruit for – focusing on analytical, computer-engineering skills can skew defences towards automated solutions. In contrast, CSOs should recruit infosec staff that understand the human side of cybersecurity.
Take a minute to consider this: humans, not machines, are the biggest threats to your networks.
The Biggest Issue in Cybersecurity is Humans, Not Machines
As the RSA 2020 conference tackles the most challenging human elements of cybersecurity, you can rely on Beyond Security to give you the deep advice and automated tools that provide a comprehensive layer of protection – both against known vulnerabilities and against the unpredictable elements that the human factor brings to the table.