Refining the human element in support of cyber defense
By Todd Ryan, Chief Information Officer, Hillsborough County Sheriff’s Office
With the recent release of Verizon’s 2022 Data Breach Investigations Report (DBIR) (Verizon Business et al., 2022), we gain insight into the past 15 years of cyber incidents and breaches. In just the past year (defined as November 1, 2020, to October 31, 2021), the DBIR studied over 20,000 security incidents, of which over 5,200 were confirmed data breaches.
I’d encourage you to read the entire report (free to download), but for the topic of this discussion, I’d like to focus on one particular observation:
“The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.” (Verizon Business et al., 2022, p. 8).
I believe that indicates that we, as security practitioners, information technology leaders, and business leaders, are missing the mark when preventing the aptly-named “preventable” security incidents. And, lest this is categorized as a pandemic-related trend, the human element as the chief root cause of security incidents has been factual for the entire 15 years.
This article isn’t intended to be an indictment of technology, as there are numerous technologies that help reduce the human element risk factor. Instead, I believe it is a reminder that we must keep the human element front and center in all of our technology deployments. As the human element factors are different for each organization, I will not trivialize the challenge by offering a “Top 5 ways to influence humans!” list. Instead, I would like to remind each of us as professionals of some foundational practices we should keep in mind with every project.
Practice Number One – Communication. It’s probably no surprise I led with communication as it is often the success factor for any project. Within cybersecurity, it is equally essential to develop a communication strategy and mandate it for any deployment. We should be telling our users when something is coming, what it will look like, what it’s for, and what to do if they think something is wrong. We should utilize multiple methods, provide an easy way to locate a message they vaguely recall seeing at some point, and we should remind them frequently but not frequently enough to generate noise. In doing so, we will train our users to tell them when something new is coming, what trusted applications should look like, and encourage their feedback if something looks different.
Practice Number Two – Set Expectations. We shouldn’t assume users know what they are expected to do; we must spell it out for them in everyday language. We can’t underestimate the impact of a simple message shared consistently. For example, even though it was many years ago and I was a small child, I believe only I can prevent forest fires, which influences my behavior. So tell your users, be direct, and assign ownership to them. Don’t open attachments you weren’t expecting. Don’t share your password. If you don’t follow our security policy, you could be responsible for all of us losing access to our computers.
Practice Number Three – Be approachable. How many of you would be worried if you lost console access to your firewall or router? A rhetorical question, so let me rephrase: how many of you would feel comfortable with your number one source of security incidents refusing to talk to you? If we alienate our users, make them feel small or stupid, or isolate ourselves in Fort IT, we’re going to miss crucial feedback and information from the source that is 82% likely to be our next incident. To guard against isolation, consider emotional intelligence training for your security staff, ensure they are easily accessible to the users, and require them to interact with them. The air gap between your security policy and the human element can only be bridged via relationships and communications.
Bonus Practice – Share information. Information sharing transcends your organization, but I believe it is the key to our collective cyber defenses as we advance. We must destigmatize cyber incidents and make it socially expected to share information as quickly as possible. I believe that starts at the local/geographic area by sharing information with your regional peers. Cybercrime, like most crimes, flourishes when kept under wraps or not discussed. If you are a government entity, the MS/EI-ISAC (Multi-State/Election Infrastructure Information Sharing and Analysis Center) is a great platform to share intelligence with several free or low-cost services.
Hopefully, as our nation learns to be more vigilant and cyber aware, we’ll gain ground in our fight against cyber attacks. Until then, I hope you find these tips helpful in engaging with people, statistically our most potent defense.
Verizon Business, Bassett, G., Hylender, C. D., Langlois, P., Pinto, A., & Widup, S. (2022). 2022 Data Breach Investigations Report. In Verizon. Verizon Business.