Why people are at the heart of your information security success
In this podcast, Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, talks about the human side of security. Are humans the weakest link? Why do people fall for phishing attacks and what can we do? He’ll also talk about how to put security at the front of our minds for organizations, where data protection and compliance mandates like EU GDPR fit in, and why people are ultimately at the heart of your business and security success.
If you’re at Infosecurity Europe 2017 in London this week, you can visit KnowBe4 with Wick Hill at stand D100.
Here’s a transcript of the podcast for your convenience.
Hello and thanks for listening! Today we are joined by Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4. KnowBe4 is the world’s most trusted security awareness training and simulated phishing platform. Used by more than 9,500 organizations globally, their mission is to have your users make smarter security decisions. If you’d like to learn more about KnowBe4, they will be at Infosecurity with Wick Hill in stand D100.
In today’s podcast, we asked Perry to talk about the human side of security. Are humans the weakest link? Why do people fall for phishing attacks and what can we do? He’ll also talk about how to put security at the front of our minds for organizations, where data protection and compliance mandates like EU GDPR fit in, and why people are ultimately at the heart of your business and security success. Let’s jump right in. Perry, thanks for joining us!
Perry: On this question of humans being the weakest link or not, I really think that is a question that can be answered both ways. Humans can be weak, but humans can also be trained to be incredibly resilient. In the end, humans are human with all the inherent strengths and challenges that are just part of humanity. And so for example we know that humans have a very difficult time resisting phishing bait that is crafted around the positive or negative self-interest of a person. Or evokes fear, or urgency or curiosity – and even morbid curiosity around national or global tragedies or the death or misfortune of a celebrity. All of this is about a crafty attacker finding ways to bypass the critical faculty of the person at the receiving end of the email. So yeah, we do have these inherent weaknesses built into the way that our brains work, but the good news is that we can train that. And so that gets into how we put security at the front of our minds.
Let’s flesh that out with a few thoughts. First, let’s deal with phishing and social engineering. Simply stated, you should be phishing your users. We need to be sending our end-users phishing emails, simulated phishing emails and social engineering tests to see how they respond. And when they fall for a phishing test, take that as a positive opportunity. Redirect them to training or messaging that helps built them up to where we want them to be. Because ultimately, we want to build people that are resilient to attack.
Let’s take this to a biological analogy. If there’s a virus outbreak, we want to inoculate people to the virus. And when you do that, you give somebody a little dose of the virus. And with phishing it’s the same way – we want to expose people to the reality of phishing so that we can build up their resilience. They can start to see what it looks like and we can build the inherent gut reaction to phishing emails so when that something does pass all the different layers of security, the firewall, the email filter, everything else that happens before it hits that person’s email inbox, we want that human to be an effective last line of defense. And we do that through training them and conditioning them.
And then the other thing that comes into helping people put security in front of mind is working on the messaging. Finding things that are relevant to them, that are important to the people in our organizations, and messaging that effectively through multiple channels in a way that they’re most likely to hear it and receive it and internalize it. And then we also want to make our culture, our security culture viral. And that can be in bringing a liaison program in, or a security ambassador program in, and making security not just the job of the security team, but the job of several people distributed throughout the organization so that they become the eyes and the years in the hands, in the mouths of security.
Then we get into one of the other reasons, that people may be thinking about security awareness. With GDPR, there is an awareness requirement within that. And so, people say: What do we need to be aware of? I wouldn’t go into too much detail here; certainly, we can always have a discussion about the ins and outs of how to properly train on that, but let me just give you three things. I want to give you one ‘Why’ and two ‘What’s’.
The Why that we want to touch on is why should we care? You want to tell your people why they should care about GDPR. And the processes and the requirements that are involved in that. Now, the two what’s that we want to cover is, we want to tell them what do I need to protect? What do they need to protect? And what is their role and responsibility? The first one is why they should care? Then we get to the two what’s – what do they need to protect? And that’s the data, the PII. And the what is their specific role, and how do they execute on that? That’s the responsibility.
And so, if you’re also asking well, how do we now make this practical? How do we do it just more than information delivery? My immediate suggestion would be: make this scenario-based. Turn it into quick 10-15-minute tabletop exercises. So, to summarize, this is all about realizing that people are at the heart of our businesses. And security is at the heart of our business. But let’s not take this too far.
Our businesses do not exist to be secure. Security is not the focus most of our businesses. Our businesses are there to deliver a service or a product, and so security really is about protecting the assets and the functions that are critical to the business, and to ensure resilience. And so, our security programs then are key to protection and resilience, and our people are a critical first and last line of defense to ensure that resilience. And so when we put all of that in context, we realize that people are what makes up many of the functions of our business, and they are aided by technology. We can’t just focus on security through the technology layers. We have to have security permeate the human layers as well, and build that resilience, and build that effective first line of defense and last line of defense which is our people.
That was Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4. And just a reminder – if you would like to learn more about KnowBe4, they will be at Infosecurity with Wick Hill in Stand D100. Thanks for listening!