
The Weakest Link Is Your Strongest Security Asset


Christian Anschuetz, CIO & Security Practitioner, UL
Despite Firms' Best Efforts, Security Vulnerabilities Are Increasing
From the infamous Sony hack and other high-profile data breaches to Heartbleed, Shellshock and the new wave of mass mobile threats, 2014 was an historic (if woeful) year for cybersecurity. As a result, the topic of security is now center stage and firms are dramatically increasing their IT budgets to ward off often nameless, faceless attackers. Nevertheless, firms will continue to be vulnerable if they over-invest in technology while failing to engage their workforce as part of their overarching security solution.
“Cyber evil-doers, like combatants on the battlefield, attack asymmetrically, avoiding hardened security surfaces and taking advantage of human weaknesses”
Over-Reliance on High-Tech Protections Undermines Security
Firms are turning to modern technologies to protect themselves from becoming the next security breach headline. State-of-the-art firewalls protect network perimeters and secure remote access. Hardened applications, running on secure and patched operating systems, are increasingly defensible. Intrusion detection systems stand poised to alert firms when its protections have been compromised. While these are important tools to help counter cyber threats, history and data both show that the bad actors are adept at going around technological barriers and going right after users.
According to PwC, employees and corporate partners are responsible for 60 percent of data breaches. Verizon's research suggests the number is even higher, at almost 80 percent. These surprisingly high figures reflect in part a prevalent and dangerous myth, namely, that cyber losses are the result of attacks by technological geniuses who excel in dismantling sophisticated firewalls and circumventing other security measures.
The reality is that, while external attackers can be highly intelligent, they typically gain access to critical information and systems by subverting well-intentioned humans. Phishing emails, links and attachments that look legitimate and even social engineering are the primary initial avenues past an organization’s defenses. Cyber evil-doers, like combatants on the battlefield, attack asymmetrically, avoiding hardened security surfaces and taking advantage of human weaknesses.
Security Policies Often Weaken Defense
What’s more, firms are often their own worst enemy. They chronically ignore the human element of security, often relegating efforts to engage employees to the technology-focused, and stereotypically introverted staff members of IT and information security. Instead of elevating the topic of security as an organization-wide endeavor, firms put the unfair burden of protecting their company’s intellectual property on the shoulders of a group who is ill-equipped to grasp the totality of the threat. Technological defense, although important, is only one side of the coin. Putting the responsibility of understanding and mitigating the human threat goes well beyond IT.
Left in the wrong hands, cybersecurity manifests itself in burdensome and ineffective policy. Take typical password policies, for example. Setting a password policy to lockout after three tries is frustrating for users— and it almost never adds any incremental improvement in security. Making users change their password every 90 days is also folly, as it too fails to measurably improve security. These policies effectively lower a firm's security posture as users resort to writing down their passwords or finding other deleterious workarounds.
And because many security departments are more worried about control than productivity, they don’t consider the unintended consequences of their policies. Disable USB ports? Good move, except now users move often sensitive documents via Google Drive. Disable print drivers? That also seems wise, except now users email documents to unsecured web-connected printers. Forced to choose between disruptive and apparently irrational security directives or getting their job done, workers will find a way to be productive.
Creating Security Habits Strengthens Defense
The key to improving overall security is to elevate the topic to an organization wide initiative, and to balance investment between technology and the education and engagement of the workforce. Pursuit of the imaginary “silver bullet” firewall is daunting in itself, so it’s no wonder firms cannot face the prospect of fundamentally changing peoples' behaviors. And given the relative ineffectiveness of the traditional security awareness programs, it’s understandable why firms have largely ignored the human element.
Understandable, yes, but a grievous mistake. Logically, if insiders are the source of the majority of the breaches, then developing a security acumen among the workforce stands to dramatically reduce an organization’s vulnerability.
Some technologically well-protected firms, like Dow Chemical Co., engage their workforces through advanced security awareness programs that focus on targeted education. The most secure of these firms are creating “security habits.” By clearly defining desired behaviors, the firms help workers understand what they need to do, and why. By involving the workers in designing the security policies, the firms generate buy-in and support. Organizations that create the triggers, motivation, and even rewards—for example, recognition for forwarding, but not opening, a suspicious email—establish a secure operating model. If the organization’s leaders encourage employees and also visibly practice the desired behaviors themselves, then security can become a way of life in the workplace.
To Strengthen Security, Start with the “Weakest Link”
In The Art of War, Sun Tzu taught that attackers should "avoid what is strong and…strike at what is weak." This lesson has been well learned by today's cyber attackers, who are ruthlessly efficient in converting employees and corporate partners into unwitting allies. Good, smart workers are conscripted by attackers after being lured into opening an email attachment or following a dangerous link. If we change this paradigm and make our workforce an accountable part of the security solution, we will dramatically improve the defensibility of our firms.
See Also:
ON THE DECK
Featured Vendors
THETA432: Performance, Precision, Efficiency, Visibility - The Key to Incident Response and Answer to the Talent Shortage
EveryCloud Technologies: Delivering Powerful Email Filtering Services" title="Graham O'Reilly, CEO & Co-Founder" style="float:left; margin-right:10px; margin-bottom:20px;" width="60px" height="50px">
EveryCloud Technologies: Delivering Powerful Email Filtering Services
Onepath: A Responsive Info-Security Management Framework – the easier way to dramatically improve your overall info-security posture
Covenant Security Solutions, Inc.: Revolutionary Solutions to Mitigate Security and Compliance Risks
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Disrupt Your Legacy Application Portfolio to Improve Security And...
Why a Credentialing Strategy Must be Part of Your Digital Strategy
The Convergence of IT with the Internet of Things Innovation
It’s On People: The Undeniable Cultural Impact in a Digital...
A Promising Road Ahead for Insurtech
Bolloré Logistics Australia becomes a global leader in the use of...
