How well prepared are organizations for the activities of cyber criminals in 2019?
Organizations want to feel their efforts have made a difference to answering the question “are we secure?” However, there is no perfect solution or ability to be 100% secure; the real aim is to lower the risk – it’s a balancing act.
The biggest challenge, in my opinion, is communication: the board may have little idea about what cyber security programmes do and technologists often don’t know how to translate cyber security into the language of business risk.
This “language barrier” has ended up with large gaps in how to prioritize protection measures. A great example is the Equifax cyber breach in 2017. According to a report in The Verge publication the company’s protocol involved “deploying a patch internally and scanning the system for any lingering vulnerability”.
Former Equifax CEO, Richard Smith, told the US Congress that “Both the human deployment of the patch and the scanning deployment did not work.”
He essentially blamed one person for not patching a system. However, as the company’s data was clearly of high value to cyber criminals, the real priority should have been architecting a solution to protect the data, whether patched or not, to minimise impact to consumers.
Motivating cyber awareness
Organizations need to empower people to understand cyber attacks and improve their ability to respond. Critically, awareness training shouldn’t be only compliance-driven and definitely not about punishing people. It’s important to address the way your audience is motivated and increase awareness among employees by using the principles of gamification; for example, find the right balance for extrinsic and intrinsic motivations.
Building cyber resilient organizations needs to focus on solutions that work for people and communication programmes to help them understand.
The cyber criminal: a profile
Cyber criminals recognize a gap in “the market” to build their “business”. As organizations have their version of a risk assessment, so do malicious actors: will this benefit them, with low effort and high return?
They are, regrettably, professionals at this and minimal effort often involves searching publicly available information online, playing off of human behaviour and security flaws.
Consequently, cyber breaches are infrequently sophisticated attacks. Instead, they profit from phishing emails, improperly secured accounts, weak passwords, social engineering and exploiting human weakness.
In targeting people, they choose a method that will increase the chance of clicking a link. For example, their approach may be:
- Pretending to be a school notifying a parent of an incident with their child; the parent is unlikely to suspect it’s a suspicious link or attachment.
- Trying to break passwords based on information about an individual that could reveal habitual patterns of behaviour.
- Appearing legitimate by sending an invoice from an organization a person is likely to trust.
Whilst obtaining information online is easy, getting information from people directly is even easier. For example, talking to someone on a flight; it’s amazing what people will tell you and without even considering the questioner’s intentions might not be ethical.
An organizational approach
Tackling cyber criminals involves working with human behaviour and motivating people to care about why they are learning about cyber security. Cyber security is people, process, technology – but people first for a reason.
Personally, I have also found it helpful to focus on personal as well as professional security, by offering ways to protect employees and their families at home; bringing the risk closer to home and feeling a sense of empowerment by mastering new skills.
Teaching people how easy it is to create a phishing campaign, for example, demystifies the assumption that it’s a complex process and helps them to identify the threats without simply being told “don’t click links”. Scaring people into a response actually weakens their effectiveness.
Ultimately, it’s about humans building solutions to address human attacks – and if you are more difficult to attack, the majority of the time, cyber criminals will soon move to another target.