Opinion: Chris Pogue, Senior Vice President, Cyber Threat Analysis, Nuix, looks at why the threat landscape has actually gotten worse over the last 20 years.
Over the past 20 years, organisations have expended billions of pounds worth of time, energy and intellectual property pursuing the elusive ‘next big thing’ in cybersecurity. Despite the collaborative efforts of the entire cyber-industrial machine, very little progress has been made. In fact, recent reports show cyberattacks are becoming more and more frequent and costly, especially among smaller businesses. But why? Experience has taught us that the vast majority of data breaches were not the result of failures in technology, but of poor decision-making by the people responsible for the victim organisation’s security programme.
However, though 93% of CIOs and CISOs say human behaviour is the biggest threat to their organisations’ security, for two decades they have been implementing security technology to solve data protection problems. In essence, we’ve been fighting the wrong battle. Organisations need to completely reassess the way they think about cybersecurity if they wish to deflect, detect, react, respond to and recover from cybersecurity incidents. Specifically, they should stop trying to solve the problem in a linear, technical manner and shift to a more human-centric approach. Here is a battle plan they can follow to change the course they find themselves on.
1. Admit there is a problem: This is step one in every recovery programme for good reason.
Organisations cannot begin to address a problem that they can’t or won’t admit is actually there. Transparency has become even more important following the recent approval of the European Union General Data Protection Regulation (GDPR), which will make it mandatory for all organisations that operate in the EU, or deal with its citizens, to report data breaches that involve the private data of EU citizens — usually within 72 hours.
2. Identify which cognitive biases are present within the organisation:
Cognitive biases are tendencies formulated in our brains that can lead to illogical decision making or poor judgement, which can ultimately lead decision makers to neglect the protection of critical information assets in their care. Through introspection, training and role playing, it is possible to retrain our brains to behave differently.
This will take emotional maturity at all levels, as progress here will essentially involve admitting personal shortcomings from frontline analysts up to and including the CEO. Organisations should expect tremendous resistance at this stage of the process, where organisational leadership will face the question, ‘Which is more important: your ego or the success of your organisation?’ They can only choose one answer.
3. Engineer out as many human decision points as possible:
Technical people get nervous about the word ‘automation’ for good reason. In many instances, their job relies on a manual processes that, if automated, could mean the loss of employment.
It’s important for organisations to clearly state that they are reducing human decision points, not eliminating them, and that the remaining intersection points will require enhanced decision-making capability from those individuals responsible for them. Organisations should follow this up with extensive, realistic scenario-based training to give people those skills.
4. Let other people make bad decisions and be happy to learn from them:
There are so many breaches that can be analysed that there really is no reason why the cybersecurity industry should not have volumes of post-incident review documentation to learn from.
Organisations should implement an after-action review process for all breaches, whether they are publicly disclosed or not. It’s true that when they are in the middle of trying to fix an urgent problem, the last thing organisations have time for is being a case study that someone else can learn from. Still, if they think beyond the impact to their own organisation about what can be learned from an incident, it will help others avoid a similar situation. That can only benefit everyone involved, including the organisation itself.
Organisations should ask themselves, ‘What can we learn from this breach? How can these lessons improve the organisation’s security posture? When dealing with an internal incident, how can we use this experience to help others?’
5. Hire for success:
Organisations should seek to employ the right kind of people, rather than the most geographically convenient ones or those with a certain skillset. They will need employees who can follow processes and procedures, can take direction and are less egocentric and more mission focused. Historically, the hiring process for technical jobs has mainly focused on whether or not the applicant already has the technical skills to perform the tasks required for the job. While this may seem logical, there are two decades of evidence to substantiate that it’s a very poor hiring strategy.
Cybersecurity is not a technology problem; it is a people problem. Organisations must realise that technical ability alone is not enough to resolve the issue. If it were, breaches wouldn’t occur in such great numbers and with such frequency. Instead, preventing breaches requires changing behaviour and reducing the number of opportunities for people to make mistakes.
Going forward, organisations should focus on using technology to reduce the number of human decision points within the data protection process. This will dramatically reduce the opportunity for mistakes and failure. By providing the right kind of training and education, and by conducting ongoing threat simulations, organisations can enable their employees to be exponentially more prepared to fight the war against cybercrime. They will subsequently be more successful than they have ever been in the protection of critical data.