Error 404 – Adequate Safeguards Not Found
In the fictitious world brought to life by director James Cameron in The Terminator, Kyle Reese reveals that Skynet saw all humans as a liability, hence their elimination was necessary...
Given the past few years, no doubt a few CISOs have fleetingly thought maybe Skynet had a point when faced with the fallout from a human error. Smart companies are using different ways of protecting themselves against the significant security risk posed by human error.
In a world that is making more effort than ever to protect data and ensure that companies take their responsibilities seriously, it’s not hard to question why losses still occur. Given the changes companies have had to make in the wake of legislation such as GDPR and CCPA, surely all the issues should be solved by now, apart from the attacks by criminal supervillains that late 80s and early 90s Hollywood taught us exist. In an ideal world, mandating minimum standards and big IT spends on the latest security tech should work to solve the issue, apart from one factor that nearly all IT systems have in common – the end user.
Looking at some of the largest data breaches of 2019 the strikingly common theme is the humble homo sapiens. Per the statement of "other things being equal, simpler explanations are generally better than more complex ones", the simple explanation is that it’s usually the user that’s at fault, not the IT. This is a fact purported by CybSafe who, after looking at data from the UK Information Commissioner’s Office (ICO), stated that 90% of cyber data breaches in 2019 were caused by human error(1).
Proper policies and procedures
In two recent examples in the shape of ElasticSearch and Verifications.io there were wholly insufficient controls around passwords and access. The result, 108m and 808m records lost respectively. In a third example, American Financial Corp, 885m records were lost and ‘were available without authentication to anyone with a web browser’(2).
As per the comments by Greg Walden in reference to the Equifax breach “You can't stop stupidity. You can't legislate against it, but you can hold people accountable for it” (3). This, it seems, is what the likes of GDPR and CCPA are trying to deal with - compelling companies to put sufficient thought in to properly protecting data, by putting the right policies and procedures in place. While for some organisations this might close down some gaps, it doesn’t completely negate human behaviours.
If you want people to do things, make it easy
As a rule of thumb, human beings will tend to look for the easiest option. This is illustrated by the concept of ‘nudge’ in behavioural economics. The essence of this is that if you want people to do things, make it easy. While the protagonist in The Terminator may have infinite capacity for the 85 passwords the average employee is expected to remember (4) and then change on a regular basis, the average employee neither has the capacity nor the inclination to remember them alongside other often onerous security requirements, let alone thinking about their day job. It’s easy to see why a fatal lack of engagement with the topic emerges.
The challenge presented here is that companies need to make security simple enough that people will actually do it, while maintaining sufficient security that it’s not debased to a token change of a single character every 30 days. For example, mandatory password changes are, superficially at least, a great idea. However, there is evidence to suggest that this actually leads to increasingly weak passwords.
So, how are organisations approaching this delicate challenge?
As a result, many organisations are looking to solutions such as multi-factor authentication (MFA) which essentially requires two or more points of authentication. The first two will typically be a username and password, the third can be anything, although most typically it will be a random token generated via software or hardware like a keyring token. Others look at location-based information (where the endpoint is located) or even biometrics. None of these are entirely infallible, but they do significantly reduce a malicious third party’s ability to log in at all. And the more sophisticated end companies are able to track ‘typical’ behaviour such as typing speed and frequency of use, all the way up to how a phone is held in order to build up a risk-profile of when behaviour should arouse suspicion.
Some companies are already recognising the pitfalls of allowing employees access to data at all. Many have implemented privileged access management programs, which in essence requires the user to prove that they are who they say they are and why they need access. This narrows down who can access the data effectively for two reasons. Firstly, it reduces the pool of individuals with the right access, meaning that malicious actors have a small surface area to attack, and by secondary validation it presents a further set of credentials that need to also be compromised.
Some organisations are already moving beyond this with vaulting that second set of credentials. This means that these privileged users need to check-out the credentials like a book from a library each time they want to access sensitive data; but better than a library, the credentials are single-use and can be programmed to expire after a set period of time. This provides a neat solution meaning that passwords can be complex and ever-changing without the need for a human being to be able to recall them from memory.
Galvanising your workforce
For smaller companies without the resources or complexity to implement such an elegant solution, the challenge of engaging the end-user remains. Given the prevalence of phishing as an attack vector, an educated user base is invaluable. As it stands, most employees go through a mandatory online training course in IT security. When security messages and training are viewed as a chore it will not get the same engagement from the average user when compared to a campaign that truly engages the employee. Most proactive companies are trying to make security a culturally important aspect of the business by moving security away from compliance. They have introduced ‘security awareness months’, where employees are presented with the concepts underpinning good security for longer periods of time and less of a tick-box approach. Some frame cyber security within the employee’s personal life and illustrate the hazards and benefits in that environment, in an effort to foster an emotional buy-in.
This crucial aspect, employee engagement, is often given too little consideration in the insurance-buying process, limited to a cursory question or two in the proposal form. We believe companies, brokers and insurers must acknowledge the importance of employee engagement and give greater focus to this area. Until the unpredictable and significant risks posed by human error are afforded the importance they deserve, maybe Skynet’s assessment of human behaviour as a liability will continue to have a ring of truth. Reducing access to sensitive systems and data may be the best solution for now.