October is Security Awareness Month, an exciting time as organizations around the world train people how to be cyber secure, both at work and at home. But what exactly is security awareness and, more importantly, why should we care about it?
Security awareness goes by many other names, depending on the organization: security influence, culture, engagement, training, education, etc. All these different names may seem confusing, but ultimately, they are all talking about the same thing – managing human risk.
The traditional approach does not work
Organizations, cybersecurity leaders and the cybersecurity community will all tell you the same thing: People represent the greatest security risk in today’s highly connected world. Organizations see it in their own incidents, and we see it in global data sets.
The most recent Verizon Data Breach Investigations Report (DBIR)- one of the industry’s most trusted reports – has pointed out that people were involved in over 80% of breaches globally. These incidents may involve people being targeted with phishing emails or smishing attacks, or people making mistakes (e.g., IT admins misconfiguring their cloud accounts and accidentally sharing sensitive data with the entire world).
If people represent such a high risk, what should we be doing about it?
The traditional approach has been (and often continues to be) to throw more technology at the problem. If cyber attackers are successfully phishing people with email, we will deploy security technologies that filter and stop phishing email attacks. If cyber attackers are compromising people’s passwords, we will implement multi-factor authentication. The problem is that cyber attackers bypass these technologies by targeting people.
As we get better at identifying and stopping phishing email attacks, cyber attackers target people’s mobile phones with smishing (SMS or message-based) attacks. As more and more organizations deploy MFA, cyber attackers began pestering people with MFA requests until they approve one (as recently happened at Uber).
This is where we also run into our second challenge: Security teams far too often blame people as the root cause of the human risk problem – as evidenced in often used phrases such as “People are the weakest link,” and “If our employees did what we told them to do, they and we would be secure.”
But when we look at cybersecurity from the average employee’s perspective, it turns out that the security community is often to blame. We have made cybersecurity so confusing, scary, and overwhelming that we have set people up for failure. People often have no idea what to do or, if they do know what to do, doing the right thing has become so difficult that they get it wrong or simply choose another option.
Just look at passwords, one of the biggest drivers of breaches. We’ve been saying for years that people continue to use weak passwords in an insecure manner, but the problem persists because the password policies we teach are confusing and constantly changing. For example, many organizations or websites have policies requiring complex passwords of 15 characters, including having upper and lower case letters, symbols, and numbers. Then we require people to change those passwords every ninety days but don’t provide a secure way to secure all those long, complex, and changing passwords.
Then we roll out MFA to help secure people but, once again, this is extremely confusing (even for me!). First, we have multiple different names for MFA, including two-factor authentication, two-step verification, strong authentication, or one-time passwords. Then we have multiple different ways to implement it including push notification, text messaging, FIDO token-based, authentication apps, etc. Every website you go to has a different name and implementation of this technology, and then we once again blame people for not using it.
From security awareness to managing human risk
Security awareness training has been the traditional approach, and it involves communicating to and training your workforce on how to be cyber secure. While a step in the right direction, we need to take this one step further: We need to manage human risk.
Managing human risk requires a far more strategic approach. It builds on security awareness, to include:
- Risks: The security awareness team needs to be an integrated part of the security team, even reporting directly to the CISO. Their job should include working closely with other security elements (such as the security operations center, the cyber threat intelligence analysts, and the incident responders) to clearly identify the top human risks to the organization and the key behaviors that manage those risks. Once those key risks and behaviors have been identified and prioritized, then we can communicate with and train our workforce on those behaviors.
- Policies: We need to start creating security policies, processes, and procedures that are far simpler for people to follow, we should be designing policies (and the tools that support them) with people in mind. If we want people to use strong authentication, we must focus on something that will be easy for people to learn and use. The more confusing and manual the process, the easier it is for cyber attackers to take advantage of that.
- Security team: We need security teams to communicate to their workforce in simple, “human” terms that everyone can understand, including explaining the WHY of their requirements: Why are password managers important, what value does MFA have to them, and why enabling automatic updating is good for them. We must change the employees’ perception of the security team: from arrogant to approachable.
Managing human risk is becoming a fundamental part of every security leader’s strategy. Security awareness is the first step in the right direction as we attempt to communicate to, engage and train our workforce, but we need a more dedicated, strategic effort to truly manage human risk. Perhaps one day we will even grow and replace the role of the Security Awareness Officer with the Human Risk Officer.