The Weakest Link Is Your Strongest Security Asset
897
![]() 1483
![]() 338
![]() |

Christian Anschuetz, CIO & Security Practitioner, UL
Despite Firms' Best Efforts, Security Vulnerabilities Are Increasing
From the infamous Sony hack and other high-profile data breaches to Heartbleed, Shellshock and the new wave of mass mobile threats, 2014 was an historic (if woeful) year for cybersecurity. As a result, the topic of security is now center stage and firms are dramatically increasing their IT budgets to ward off often nameless, faceless attackers. Nevertheless, firms will continue to be vulnerable if they over-invest in technology while failing to engage their workforce as part of their overarching security solution.
“Cyber evil-doers, like combatants on the battlefield, attack asymmetrically, avoiding hardened security surfaces and taking advantage of human weaknesses”
Over-Reliance on High-Tech Protections Undermines Security
Firms are turning to modern technologies to protect themselves from becoming the next security breach headline. State-of-the-art firewalls protect network perimeters and secure remote access. Hardened applications, running on secure and patched operating systems, are increasingly defensible. Intrusion detection systems stand poised to alert firms when its protections have been compromised. While these are important tools to help counter cyber threats, history and data both show that the bad actors are adept at going around technological barriers and going right after users.
According to PwC, employees and corporate partners are responsible for 60 percent of data breaches. Verizon's research suggests the number is even higher, at almost 80 percent. These surprisingly high figures reflect in part a prevalent and dangerous myth, namely, that cyber losses are the result of attacks by technological geniuses who excel in dismantling sophisticated firewalls and circumventing other security measures.
The reality is that, while external attackers can be highly intelligent, they typically gain access to critical information and systems by subverting well-intentioned humans. Phishing emails, links and attachments that look legitimate and even social engineering are the primary initial avenues past an organization’s defenses. Cyber evil-doers, like combatants on the battlefield, attack asymmetrically, avoiding hardened security surfaces and taking advantage of human weaknesses.
Security Policies Often Weaken Defense
What’s more, firms are often their own worst enemy. They chronically ignore the human element of security, often relegating efforts to engage employees to the technology-focused, and stereotypically introverted staff members of IT and information security. Instead of elevating the topic of security as an organization-wide endeavor, firms put the unfair burden of protecting their company’s intellectual property on the shoulders of a group who is ill-equipped to grasp the totality of the threat. Technological defense, although important, is only one side of the coin. Putting the responsibility of understanding and mitigating the human threat goes well beyond IT.
Left in the wrong hands, cybersecurity manifests itself in burdensome and ineffective policy. Take typical password policies, for example. Setting a password policy to lockout after three tries is frustrating for users— and it almost never adds any incremental improvement in security. Making users change their password every 90 days is also folly, as it too fails to measurably improve security. These policies effectively lower a firm's security posture as users resort to writing down their passwords or finding other deleterious workarounds.
And because many security departments are more worried about control than productivity, they don’t consider the unintended consequences of their policies. Disable USB ports? Good move, except now users move often sensitive documents via Google Drive. Disable print drivers? That also seems wise, except now users email documents to unsecured web-connected printers. Forced to choose between disruptive and apparently irrational security directives or getting their job done, workers will find a way to be productive.
Creating Security Habits Strengthens Defense
The key to improving overall security is to elevate the topic to an organization wide initiative, and to balance investment between technology and the education and engagement of the workforce. Pursuit of the imaginary “silver bullet” firewall is daunting in itself, so it’s no wonder firms cannot face the prospect of fundamentally changing peoples' behaviors. And given the relative ineffectiveness of the traditional security awareness programs, it’s understandable why firms have largely ignored the human element.
Understandable, yes, but a grievous mistake. Logically, if insiders are the source of the majority of the breaches, then developing a security acumen among the workforce stands to dramatically reduce an organization’s vulnerability.
Some technologically well-protected firms, like Dow Chemical Co., engage their workforces through advanced security awareness programs that focus on targeted education. The most secure of these firms are creating “security habits.” By clearly defining desired behaviors, the firms help workers understand what they need to do, and why. By involving the workers in designing the security policies, the firms generate buy-in and support. Organizations that create the triggers, motivation, and even rewards—for example, recognition for forwarding, but not opening, a suspicious email—establish a secure operating model. If the organization’s leaders encourage employees and also visibly practice the desired behaviors themselves, then security can become a way of life in the workplace.
To Strengthen Security, Start with the “Weakest Link”
In The Art of War, Sun Tzu taught that attackers should "avoid what is strong and…strike at what is weak." This lesson has been well learned by today's cyber attackers, who are ruthlessly efficient in converting employees and corporate partners into unwitting allies. Good, smart workers are conscripted by attackers after being lured into opening an email attachment or following a dangerous link. If we change this paradigm and make our workforce an accountable part of the security solution, we will dramatically improve the defensibility of our firms.
See Also:
Read Also
Today's Threat Landscape Requires Adaptive Security
Staying Abreast of Application Development and Delivery
How to Ensure Information Security when Outsourcing Your Projects
This Is How Your Computer Gets Hacked!
Featured Vendors
THETA432: Performance, Precision, Efficiency, Visibility - The Key to Incident Response and Answer to the Talent Shortage
EveryCloud Technologies: Delivering Powerful Email Filtering Services" title="Graham O\'Reilly, CEO & Co-Founder" style="float:left; margin-right:10px; margin-bottom:20px;" width="60px" height="50px">
EveryCloud Technologies: Delivering Powerful Email Filtering Services
Onepath: A Responsive Info-Security Management Framework – the easier way to dramatically improve your overall info-security posture
Covenant Security Solutions, Inc.: Revolutionary Solutions to Mitigate Security and Compliance Risks
EDITOR'S PICK
The IT World: An Ever Changing Place With Constant...
By Pete V. Sattler, VP-IT & CIO, International Flavors &...
Deploying In-Memory Capabilities To Meet Tomorrow's...
By Benjamin Beberness, CIO, Snohomish County PUD
Tech Provider, Delivery Partner or Both?
By Gary Watkins, CIO of IT Shared Services, KAR Auction...
Technology Helps Supply Chain Embrace Uncertainty
By Tonya Jackson, VP Global Supply Chain, Lexmark
From Bean Counter to Propeller Head: Lessons Learned by a...
By Chad Lindbloom, CIO, C.H. Robinson
Efficient Ways to Manage Data and Make Effective Decisions
By Ryan Fay, CIO, ACI Specialty Benefits
Democratizing IT Technologies to Improve Sales...
By Kris Holla, VP& CSO, Nortek, Inc.
The Cloud (still)Doesn't Support VoIP
By Shawn Wiora, CIO & CISO, Creative Solutions In Healthcare
AI and the Future of Field Service: Moving from...
By Michael Alcock, Director-CIO Executive Programs &...
Revolutionizing Industrial Mining through Smart Tools
By Jeff Bauserman, VP-Information Systems & Technology,...
Virtualize, Cloud, Mobile First
By Wes Wright, CTO, Sutter Health
Performing as a Turnaround CIO Artist, It's Not Magic...
By Peter Ambs, CIO, City of Albuquerque
By Mark Ziemianski, VP of Business Analytics, Children's...
The Highway's Jammed With Broken Heroes on A Last Chance...
By Jonathan Alboum, CIO, The United States Department of...
AI Can Improve Patient Outcomes, but will Pharma Get...
By Ryan Billings, MS, MBA, Executive Director, Digital...
Creating a New Productive Work Environment
By Christina Clark, Managing Principal, Cresa
Blockchain and The Law: How a Simple Project can get...
By Evan Abrams, Associate, Steptoe & Johnson LLP
Scope of IT Services in Today's Business Landscape
By Holly Baumgart, Vice President-Information Technology,...
Digital Transformation in an Ever Changing World
By Melissa Douros, Director of Digital Product Management,...
The Digital Transformation of the Insurance Industry
By Andrew Palmer, SVP & Chief Information Officer, U.S....