Can humans provide a cybersecurity edge? [Q&A]
It's usually the case that cybersecurity is seen as being all about technology and that humans -- making mistakes and falling for social engineering -- are something of a liability.
But are people really just a problem or can they also be part of the solution? Toney Jennings, CEO of DataStone, believes we need to shift our thinking away from the current paradigm to empowering people as a hidden asset in the protection of their organization. We talked to him to find out more.
BN: Why are humans so often seen as the weakest link in cybersecurity?
TJ: Humans are often viewed as the weakest link in cybersecurity because, despite all the technological advancements, our natural tendencies and behaviors can lead to vulnerabilities. People can be tricked through social engineering, such as phishing attacks, where attackers disguise themselves as trustworthy entities to steal sensitive information. For example, an employee might receive an email that looks like it's from their CEO, asking for confidential data or clicking on a malicious link.
Another common issue is weak password practices. Many people reuse passwords across multiple sites or use easily guessable passwords, making it easier for attackers to gain unauthorized access. In traditional office settings, it’s easy for employees to inadvertently download malware by clicking on infected attachments or links, thinking they are legitimate.
Furthermore, the rise in remote work has introduced new challenges, as employees might use unsecured networks or devices to access company resources. This increases the risk of data breaches and unauthorized access. Despite these challenges, it’s important to recognize that with proper training and awareness, humans can significantly enhance cybersecurity defenses. By understanding the common pitfalls and how to avoid them, employees can act as the first line of defense against cyber threats.
BN: Is there a stigma attached to poor security choices that makes people reluctant to own mistakes?
TJ: Absolutely. There is often a significant stigma attached to making mistakes in cybersecurity, which can lead to a culture of fear and blame. This environment discourages individuals from reporting their errors, which can prevent organizations from addressing and learning from these mistakes. It's crucial to foster a culture where employees feel safe to report issues without fear of retribution. This approach not only helps in rectifying mistakes quickly but also contributes to a continuous improvement in the organization’s security posture.
BN: How can organizations change their culture to make humans part of the security solution?
TJ: Organizations can change their culture to make humans an integral part of the security solution by fostering a security-conscious environment where every employee feels responsible for protecting the organization's data.
First, the change must start at the top. Leadership should demonstrate a strong commitment to cybersecurity, emphasizing its importance in every communication and decision. When executives prioritize security, it sends a clear message to all employees about its significance.
To encourage reporting of security incidents, leadership must cultivate a blame-free culture. Employees should feel safe to report errors without fear of punishment. This transparency helps organizations quickly address vulnerabilities and learn from mistakes. For instance, implementing an anonymous reporting system can make employees more comfortable sharing information about potential security issues. Additionally, recognizing and rewarding good security practices with incentives, public recognition and rewards, can motivate employees to stay vigilant.
It's important that organizations establish clear and open lines of communication where employees can ask questions, share concerns, and provide feedback on security practices. Regular updates from the security team, such as newsletters, can keep employees informed about new threats and remind them of their role in maintaining security.
Encouraging collaboration between the security team and other departments is also essential. When employees see that security is a shared responsibility and not just the domain of IT, they are more likely to contribute positively. For example, involving different departments in security planning and decision-making processes can ensure that security measures are practical and effective across the organization.
Security should also be integrated into the daily routines of employees. Organizations should ensure employees have the tools and knowledge they need to protect the organization. This includes providing access to up-to-date security software, clear guidelines on security policies, and regular updates on emerging threats as well as incorporating security checks into regular workflows, such as requiring authentication for accessing sensitive information or performing regular audits of security practices. Making security a part of everyday tasks helps normalize it and reinforces its importance.
By implementing these strategies, organizations can transform their culture to view humans as a vital part of the security solution. This proactive approach not only enhances overall security but also fosters a sense of shared responsibility and vigilance among all employees.
BN: How important is education and training in achieving this?
TJ: Education and training are fundamental. Continuous education programs ensure that employees are up to date on the latest threats and how to counteract them. These programs should be engaging and practical, offering real-world scenarios that employees might encounter and should cover the latest security threats, best practices, and how to recognize and respond to potential security incidents. Regular and interactive training helps reinforce good habits, making security a natural part of daily operations, rather than an afterthought.
BN: Do we need to build humans into the process from the very start of developing new systems?
TJ: Yes, integrating human considerations from the outset of system development is essential. When developing new systems, it’s crucial to design with the end user in mind, ensuring that security measures are both robust and user-friendly. This approach, known as 'security by design,' can significantly reduce the risk of human error.
For example, when creating authentication mechanisms, it's important to balance security with usability. Multi-factor authentication (MFA) adds an extra layer of security, but it should be implemented in a way that doesn't frustrate users. If it's too cumbersome, employees might try to circumvent it, defeating its purpose. User interfaces should also be intuitive and guide users towards secure behavior. For instance, clear and concise error messages can help users understand what went wrong and how to correct it, rather than leaving them confused and potentially making insecure choices.
Regularly involving employees in the development and testing phases can provide valuable insights into how they interact with the system. This feedback can highlight potential areas of confusion or difficulty, allowing developers to make adjustments before the system is fully deployed. For example, beta testing with a small group of employees can reveal if certain security features are too complex or if there are common points where users make mistakes.
Training programs should also be developed alongside new systems to ensure employees understand how to use them securely. For instance, when rolling out a new data management platform, comprehensive training sessions can help users understand not just how to use the platform, but also the security implications of their actions within it. Additionally, ongoing support and resources should be available to assist employees with security-related questions or issues. This might include a dedicated help desk, detailed user manuals, or regular security newsletters.
By involving humans in the process from the very beginning, organizations can create systems that not only protect data but are also intuitive for users to navigate. This proactive approach reduces the likelihood of mistakes and fosters a security-conscious culture. Ultimately, this leads to a more secure and efficient operation, where both technology and human factors work together seamlessly to defend against cyber threats.
Image credit: ra2studio/depositphotos.com