Years ago, a large bank hired me to tackle a cybersecurity problem for six weeks. After a meticulous financial check and drug test, I arrived for my first day. They gave me a piece of paper with a username and password, twelve characters each, to be changed every 90 days.
I went straight to the director and told him, "Your cybersecurity issue is worse than you think. I can 'hack' at least ten of your workstations by lunchtime." He didn't believe me and bet me a steak dinner.
I quickly found ten usernames and passwords without using any fancy network tools. Unfortunately, no human can remember a random string of twelve characters that changes every 90 days. So most people hide their passwords where "no one would look," i.e., under the keyboard, in their top drawer, or behind the monitor.
We often concentrate so much on safeguarding the network, application, and data layers that we neglect the human aspect. Configuring the network or running static analysis is much easier than dealing with human behavior or, even less predictable, human emotions.
The concept of Human First cybersecurity is based on the belief that no matter how much you invest in your technological defense, humans can often bypass it if it impedes their ability to perform their job. We can create a more robust organization by acknowledging the human aspect and constructing security that doesn't make people's work more difficult.
So how do you get people to care?
- Use positive campaigns instead of negative ones.
Employees rarely benefit from being reprimanded or undergoing extra training for a failed phishing campaign. Those actions instill fear of action instead of fostering a safe environment of collaboration.
We must not view people as a weakness but as the first line of defense.
For example, I saw a positive campaign when one of our clients raffled off a talking fish for the first person to report phishing. That tiny prize created positive energy and a significant increase in future compliance.
- Emphasize the benefits of security personally before corporately.
Employees generally worry about their data more than the company's data. The message around cybersecurity will resonate better when packaged as a service to the individual rather than the corporation.
I've seen companies provide free services like Optery and DeleteMe to their employees to reduce the risk of impersonation, thus emphasizing the importance of PII and reducing the risk of spear phishing. Some companies even bought employees branded "USB data blockers" to prevent data from being transferred through airport charging stations raising awareness of data loss.
- Continuously invest in modernization.
When we think about an investment in technology, we see it as a way to increase efficiency, quality, and output. But modernization is also a necessity for cybersecurity.
A CIO once shared with me that their agency’s infrastructure was so outdated that they didn’t even have a wireless network in the building. The lack of modern technology was a blocker for employees. Instead of using the agency’s secure network, they went to a nearby Starbucks to work, using a public, insecure wireless network. All cybersecurity defenses are worthless when staff is working outside of the network.
- We must change the cybersecurity stance from being a blocker to an enabler.
When approached with a request for a new feature or software, more often than not, security teams are the ones who say "No," or "You can't do that." Eventually, the security team is perceived as a blocker to business velocity and is circumvented altogether.
One analogy I like to use is the race car; your company wants to go fast, disrupt, change, and gain market share. But the road ahead is full of potholes, some small, like a simple DDoS, and some big such as a ransomware attack that could total your car. The job of the cybersecurity team is to smooth out the road so the corporation can go fast, Ricky Bobby Fast!
Too often, the relationship between most cybersecurity teams and the rest of the company is adversarial. The cybersecurity teams believe that the company does not understand threat levels, and the company will blame the cybersecurity teams if anything goes wrong.
Human First cybersecurity is about recognizing the need for a collaborative work environment. Considering your team's thought process will ensure a truly secure business setting.