By: David Tumlin
You are a network security professional. You have ensured that all your clients have endpoint protection, and that the network has firewalls and IPS. Your solutions employ sandboxing and machine learning. You’ve covered all the vectors. How are your systems still being compromised?
It might be your users. According to Verizon’s Data Breach Investigations Report for 2018, 93% of social-related breaches are due to phishing or other pretext. Why would a hacker spend time writing elaborate code for an exploit that will, most likely, be largely ineffective in short order, when you can just send an e-mail asking for the victim to log in and “verify” their password?
It also might be you and your fellow IT peers. 27% of organizations that were breached were compromised as a result of unpatched vulnerabilities. Why spend the time discovering a new exploit when an old, well-documented one is more effective?
In either case, the problem cannot be solved exclusively with technology. Humans have to be involved. In fact, we, as security professionals, have multiple roles to play in ensuring the organization we support maintains a sufficient level of security.
- You need to be an educator.
The users you support need to know how the attacks are going to come at them, what the attacks do, and what they should do when they are confronted with them. It’s impossible to have a reasonable expectation that your users can identify attempts at pretext without knowing what methods the attackers will use and what practices that good-faith actors will adhere to. An example (that I used for my 80 year old mother) is that banks will generally not send links in their messages, instead recommending that the bank patron should log into their account using their preferred method. If an e-mail, nominally from a bank, implores the reader to “click the link” for any purpose, the odds are good that this is a Phish. If you don’t educate your users, you cannot expect them to know.
For your IT admins, it is very easy to delay patching systems that display no obvious problems. Your admins need to understand how their systems can be compromised and the consequences. Don’t assume that they know about recent vulnerabilities found in the products they support. Quite often, IT admins get “tunnel-vision”, dealing with the problems that are most visible at this moment, rather than something with potentially greater impact in the future.
- You need to be an actuary.
Management doesn’t want to spend more for the prevention than the cost of what they are preventing. Managers, especially C-Level managers, always seek to balance the cost of the control with the cost of the breach adjusted for its likelihood. No one wants to buy a $200 safe for a $50 watch. You will need to understand the level of risk that an exploit or breach will present to convince many in your organization of the importance of security. In addition to the risk, a cost estimate often must also be calculated to illustrate the importance of the security controls.
- Finally, you need to be a salesman.
Without buy-in, your users and admins will actively work against your controls, seeing them as arbitrary and obstructive. You need to take the information on the attacks and the information on the risks to craft a reasonable case for Information Security in your organization. Everyone in your organization, be it management, the IT admins or the normal users, must be convinced of the benefit of the security controls. You have to sell that the regulations are not just a list of checkboxes, but rather a framework that ensures that due diligence is being exercised.
Without addressing the human component of security, it will be difficult to succeed. It is important to develop a partnership with members of your organization to implement the most effective security ecosystem. To quote Bruce Schneier: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
Contact us today to learn more and let us help you ensure you are safe. Sales@fcltd.net or 817-510-1126.