True or false: 95% of all security breaches are due to sophisticated cybercriminals that we could not defend ourselves against.
Believe it or not, the answer is false. In fact, we are victims of breaches due to human error which is linked to poor security design.
This year’s SCTA Conference, which brought more than 200 cash management industry thought leaders to Chicago, was filled with insightful speakers and important discussions about the security, transportation, and management of cash in today’s world. The conference was highlighted by a keynote address from former White House CIO, Theresa Payton in which she stressed the need to design security “for the human psyche.”
95% or more of past breaches were a result of human error, according to the 2014 IBM Security Services Cyber Security Intelligence Index. From clicking on a malicious link found in a phishing message to running servers that are set up with the wrong settings, to lost laptops or portable media, human error is a huge concern.
To illustrate the point, Payton and her team conducted a geofencing test to show how a hacker might target companies through individuals. Similar to how a physical security team for a rock star might draw a circle around a venue and look at all the entrances and exits to the venue to ensure the safety of the rock star and the crowd, in the digital sense, geofencing was used to demonstrate how any of us, while connecting with loved ones through social media, could expose too many clues.
Payton explained the steps of her geofencing experiment, which involved drawing a “digital circle” around a physical location, using tools to see all social media being posted within or near the geofence, reverse facial recognition, geolocation tools, and demonstration of how all of data collected could be used to trick the subject into giving access to a network of data.
The point of the experiment was to demonstrate why it is so critical that all security programs help design and manage through the human psyche, and not against it.
Designing Security for the Human Psyche: Evolutionary Change Required
Payton stressed the need to design applications under the assumption that your users will do everything wrong – they will share passwords, they will forget them, and they will do unsafe things to get their jobs done, such as use free, unsecure WiFi.
To make evolutionary change, Payton suggests we need to incorporate the following scenarios:
- Understand and educate the knowledge of human nature and psyche into the cyber security profession
- Incorporate that knowledge into the design and implementation of all our systems
- Innovate cyber security technologies and policies that account for insecure human behaviors and incentives
Unless we do these things, she contends, our privacy and security will perish.
How can you put these changes into action?
Payton suggests the following five steps:
- Design security awareness and rules with your end user in mind.
- Knowing users will break all the rules by accident, segment your most critical data elements away from every day access (different credentials, limited access, expiring passwords).
- Use expiring and limited credentials. In a recent study, 70% of people polled said they have access they don’t really need and many admitted they peak at the data because they have access!
- Implement “digital shredding.” Just like you wouldn’t keep overstuffed paper files and cabinets, Payton suggests getting rid of unneeded data in the digital sense.
- Reward reporting. Make it easy and recognize and reward employees who report malware, strange emails, or other suspicious files or network activity.
The US Director of National Intelligence has ranked cybercrime as the top national security threat, higher than that of terrorism, espionage, and weapons of mass destruction. A threat of this level is bound to impact every day organizations. Payton made the impactful statement that at some point technology will fail and process is all that will remain. This is why she says it is so important to design for the human psyche.
Is your organization on the offense when it comes to addressing cybersecurity and the human psyche? We’d like to hear from you.