Moving up to date, cyber security technology has moved at a staggering rate and the range of products working across a variety of different needs, platforms and functions, is huge. Naturally, business seeks the best solutions for cyber woes and the less time and resource heavy, the better. This is where good technology and good security sometimes part ways. As we never tire of saying, security is a business and people-based thing that can’t be made resilient by technology and IT alone. So I was disappointed to read a feature recently that emphatically denied the notion that people are the problem. The author clearly had a vested interest in that being true, so I guess it was really an advertorial. But the thought that anyone, after all the breach and failure we have seen that has been driven by people failure, after the stats we get every quarter from the ICO confirming that human error is our biggest security weakness, could continue to deny the impact of human failure and assert technology as the only worthwhile solution, was disappointing. Mainly because the ethos that IT is both the problem and the solution, has been hard to shift and as organisations have started to fully grasp the cultural challenge that cyber security really is.
So for those who read pieces such as the one I described and believe they are getting good advice., I wonder how do we deal with that? If businesses don’t want to take the facts from the good guys (ICO, Security experts, data protection experts, independent researchers et al) then will they take it from the hackers themselves? They know that people are the weakest link and they know that resource, training and ongoing education, even of highly sought after privileged account holders, is often lacking.
Thycotic produced a very nice poll from hackers convention, Black Hat 2017 this month with the top two recommendations being education for all key stakeholders in the fundamentals of cyber security and taking a people-centric approach to cyber security. And why did they recommend this? Because the hackers told them so…
Multi factor authentication (MFA) has shown to be a clear advantage for security. If we are talking about the accounts of key individuals with privileged accounts, which we know hackers like to go after it is clear why MFA is a definite requirement. Not far behind it is the cyber sentinel that is encryption, rarely out of the headlines whenever politicians discuss cybercrime and also whenever ex heads of security services talk about vital security measures we need without question. This still provides one of the best possible technology solutions to assist the humans in the management of their security. So think of an approach or culture that has covered off how people behave, has appropriate use of encryption and utilises MFA in a proportionate manner. Given that hackers are telling us that only 5% of successful hacks come through not enough security software, this sounds like a reasonable place to start.
But let’s go back to people, as that is what hackers are telling us fairly resoundingly are the issue. If humans are the problem, what do the hackers see as being the key reasons for the slip ups and failings that are driving the breaches and opening up businesses to hacking? It looks like the new NCSC advice on password hygiene needs to be shared a little more widely… This would certainly help mitigate the risk from changing and subsequently remembering passwords and the possibility that users may write passwords down or create insecure passwords in order to save time and effort. Never ending updates is tough. We have to patch software, its a fact of life. When things are unpatched we end up with situations like WannaCry and Petya. After the initial WannaCry outbreak happened, Microsoft responded by issuing patches to help stop the spread and protect systems using legacy, unpatched systems, but some businesses did not apply the patches and so the outbreak continued. If organisations don’t patch even in those critical circumstances, then we know we have an issue. The fact of the matter is, we do live under constant cyber threat. We can either take the required steps to mitigate the risk or not and when we talk about information overload, I wonder if this is information overload combined with insight deficit. In other words, scary stories of hacks, breaches and failures but no insight gained, steps identified or positive action planned..? Data is one thing, combined with other data it is information but insight is knowing what to do with the information.
Hackers are more than happy to exploit this human vulnerability of cyber fatigue and it is not a surprise that the password issue is top of the list. We know that familiarity can breed contempt, as the saying goes. But cyber security is too important to take the chance of this happening, especially to privileged account holders that hackers prize so highly. They prize them highly for a reason.
If hackers are telling us in no uncertain terms, our people are the key vulnerability they exploit, then we really need to listen. Businesses need to wise up to tech cyber amulets, however nice it would be to think that there is a solution that requires no effort or input from people, we are not there yet. The cultural place where most businesses operate, yes SMEs I am looking at you, is one that doesn’t fully grasp their information security issues and is all too eager, with stretched resources of both money and people, to continue to believe the myth of the standalone technical solution. I understand, because the idea that a piece of kit can genuinely provide all the answers and that breach will simply stop, is quite intoxicating. I do know from experience though, that what we dream or imagine, isn’t always what we get. I still get out of bed manually, the microwave has not replaced the cooker and not everyone fancied the corner bath.
For me, a genuine focus on the human factors of security and cyber security makes me feel the same way I did when I (thought I) saw that revolving bed with a built-in Teasmade, optimistic and excited that one day, it will happen. When it does, I might be here… writing here about it…maybe drinking tea and revolving…