[17.1.2022] The most promising cybersecurity strategies are based on three pillars: people, technology, organization, and processes. However, the central pillar – the human – is often overlooked.
In order to fend off various threats to the IT infrastructure from the depths of the Internet, significant investments are being made in the latest security systems. However, the better technology recognizes and counters external threats, the more attractive it is to bypass them and hack people who already have access to systems. To paraphrase US security expert Bruce Schneier: “Only amateurs attack technology, professionals target people.” And in doing so, they are removing all pauses in social engineering and exploiting basic patterns of human behavior. They resort to his willingness to help, work under pressure (time), raise fears or promise temporary rewards.
Sometimes the attacks are clumsy, for example in the form of strange-looking phone calls or unsolicited bulk emails, which, if you know what to look for, are easily identifiable as such. But more and more attacks are being targeted. In preparation, cybercriminals collect all the data they can get: by phone, on site posing as service workers, on social media and the web. This data is linked, processed, evaluated and serves as the basis for a complex attack plan. It is not uncommon for this to be organized in several stages. For example, in Step 1, access the email inbox of an employee at Agency A, and then in Step 2 target an employee at Agency B as a supposedly trustworthy person.
Interfering with proven work procedures
Evergreen is sending an app that brings unwanted malware with it in the background (usually via a macro function). A short call from the presumed applicant, with a request to quickly verify the inclusion of the current resume, insuring that the macros are OK, and the damage done. The truth is that cybercriminals have now reached a high level of professionalism. It is important to leave your employees at the amateur level.
Cybersecurity rests on three pillars: people, technology, organization, and processes. However, in reality, technology is usually implemented, appropriate processes are developed and then imposed on employees. This leads to problems, as it interferes with day-to-day working processes that have been tried and tested for years. The result: resistance. Many employees try everything to continue using established procedures. If necessary, bypass the new rules. However, the problem is not only with the employee, but in the fact that he was not the focus of the development of the concept. Otherwise, people would have thought about how much their daily work would be affected, and in the event of serious changes, they would have made clear the need for them.
Problematic corporate culture
Lack of explanations, poor communication, careless guidance in daily work and poor awareness – these are the ingredients that cause the seemingly innovative concept of cybersecurity on paper to fail in reality. The topic of contacts also belongs to the field of communication: who do employees contact in case of doubt or harm? Often this is not really known, in case of emergency one has to look for the contact person first.
The usual motto in this country also presents a cybercrime target: Mistakes don’t happen on the job. Anyone who still makes some gets ridiculed. This leads to a culture of fear in which mistakes and procrastination are covered up. In the event of a cybersecurity incident, this pattern of behavior is a disaster, because time is of the essence in containment. Although this phenomenon affects employees, its cause lies in the culture of the company. As long as there is no other way to deal with errors, the problem cannot be controlled. From a security standpoint, there is a need for a culture that accepts that mistakes happen, communicates them quickly and publicly, and draws the right lessons from them. An additional advantage of this company culture: employees have more confidence, act more independently and creatively and at the same time are more attentive when they know that they will not spoil if they make a mistake.
Thinking about cybersecurity from a human perspective
As part of certification or re-accreditation, for example based on the ISO 2700x series, it is sufficient to provide evidence of personnel training. However, most of the time, this happens as almost psychedelic front-end teaching with the help of overloaded Power Point presentations. Evidence presented – Was the objective achieved? Not real! The goal of the exercise should in fact be to educate employees on the subject of cyber risks, not to get a mark in the context of accreditation. It is better to incorporate the awareness-raising topic into daily work, rather than single events.
Just as hackers take advantage of the human psyche in social engineering, so can the other side. The desire for praise runs deep in people and can be easily remedied with small virtual rewards in the form of prizes, badges, and the like. People have to deal with, apply and live technology in their daily work. So it makes sense to think about cybersecurity from there. Without active human participation, any cybersecurity strategy is doomed from the start. So it makes sense to give the subject of consciousness a corresponding case.
Jacob Schmidt is the KORAMIS Outreach Coordinator at the Competence Center for Cyber Security at Telent GmbH.
This article appeared on the cover of the January 2022 issue of Kommune21. You can order a copy or subscribe to the magazine here. (deep link)
Keywords: IT security, telecommunications, awareness, cyber-attacks, corporate culture
Image source: telent GmbH