Ignorance is bliss. As much as it may have banked the wisdom of ages, this saying does not apply in cyber-security. Having your employees blissfully unaware of the risks, vulnerabilities and dangers lurking behind their interactions with technology can prove extremely costly over time.
Human factors still count for numerous cyber-operations. Even when automatization steps in, a person is required to feed the right data to the machines, to setup the software and subsequently adjust configurations as needed. Furthermore, automated systems intake and output data via potentially insecure informational highways. These massive processing algorithms are not sealed up in some kind of invulnerable, impenetrable jar; on the contrary, they round up data from multiple sources, communicate and share functions, which make them even more vulnerable with each new layer of associated software and hardware.
From microscopic entry-points (see the flawed chip endangering industrial systems), to macroscopic dangers (such as vulnerable/corrupted networks or wireless vulnerabilities), cyber threats count on attention slips to make their way in. And attention slips are inherently human.
People: the simultaneously good and bad element in cyber-security
As any experienced security intelligence professional might tell you, people are the worst. In fact they qualify as an Information Security Risk. Cyber-security awareness would be the first step in avoiding major incidents from being facilitated by peoples’ actions.
Numerous online sources guide employers through what raising this type of awareness means. Specialized companies offer their training services – training sessions can take place on-premises and can expand into practical workshops. Is that an ultimate guarantee that employees won’t put your data and reputation at risk? Unfortunately not. But educating your employees is a step in the right direction.
There are three major types of high-risk human-induced mistakes:
- The case where employees do not know how they should act, being unaware of the dangers;
- The case where employees either make mistakes, or simply do not care whether their negligence bears important risks (a grey area, covering various situations);
- The case where employees perform malicious actions (also called insider threats).
In many instances, cyber-attackers know their target and go for the human element. They socially engineer the preliminary attack phases, or they know the company routine after having studied it. Nobody is above the state of potential victim when it comes to cyber-attacks, and thinking that it can never happen to them turned out to be a big mistake for quite a few prominent figures lately (see the Zuckerberg or Robert Mueller cases).
Flaws and qualities when humans interact with cyber-security
Multiple levels of command inside the organization complicate the human entry-point issue even more: errors in communication or technical misunderstandings may dramatically compromise security. Since this fact is backed up by studies, organizations (at least the bigger ones), reacted by enforcing a new set of rules – essentially trying to make data access available only on a need-to-know basis and heading to the exclusively encrypted data traffic measure.
To sum up, while people are a risk factor, it also depends on them to minimize the dangers and to think of better solutions. Understanding the human nature is critical, as is finding the most viable solutions tailored to each particular case. For example, harshly penalizing the culprits or establishing future penalties is rather inefficient and it can determine even less controllable, under-the-radar actions; on the other hand, efficiently controlling data access and encrypting sensitive data cannot be taken personally nor it depends on other staff members noticing the slips and reporting them to upper management.
Analyzing human behavior with the help of automated tools can provide a medium level of monitoring, if the settings are cleverly introduced. Such software can signal unusual patterns and behaviors as soon as they appear among your employees. The downside? Automated tools work better with routine – and routine is the favorite pet of cyber-attackers. In order to avoid encouraging dangerous routine in what the work habits are concerned, an organization needs a strategy of cyclic changes – from passwords to daily schedule or workstations it is recommended for minor alterations to be implemented, in correlation with re-setting the automated tools to read the new normality as such. Again, specialists are a must.
Another thing people are best at is having good instincts. Machines cannot feel that something is off or wrong. IBM is currently trying to teach Watson cognitive cyber-security skills, in an attempt to anticipate future or potential occurrences – but the result is yet undecided.
People have this innate capability – some to a greater degree than others. Of course, depending on their specialization and previous experience, there are those who have trained their talents and turned it into an acquired skill. Nevertheless, there are others who naturally possess and/or develop good instincts and may notice when cyber-related items and operations are not right.
As a leader it is important to notice and encourage your employees’ good instincts and reel the company’s cyber-security best practices under this natural umbrella – because vigilance is never redundant. Also, discerning which alerts are for real and which are fake is a subtle work, and time helps in identifying the reliable people inside your organization.
Professional help – more and more available
Perhaps organizations do not have the time and energy to invest in detailed cyber-security protection measures that target their employees. Not even technical companies can always manage such ample strategical and staff-training actions – the focus is on their core activities, thus this type of actions risk being insufficiently organized of superficially performed.
Nevertheless, there are more and more organizations whose core activities consists of cyber security consultancy, training, and expertise. Importing traditional security patterns and principles into cyber-security, these providers stay informed on the latest specific alerts and developments, know how to pass on information and cyber-security culture elements. See for example this article that explains a few crucial elements behind the high-reliability organization, or HRO concept and its origins.
Often the best solution for a company’s cyber-security issues might consist of employing specialized off-premises resources to assess its protection status, to advise on an efficient policy, help set it up and implement it.
It is up to each business to add up the numbers and see whether it is capable of managing by itself the human risk factor, or it is actually better to trust the specialists with its cyber-protection, human risks included. Either way, employees are an asset in this process, although when uneducated and unaware of the best practices and the real risks in cyber-security, they can prove a catastrophe. Therefore, prevention and planning are the key elements in making the human element your ally in the process of cyber-defending your company from malicious entities.
