How organisations can win the cybersecurity war, by Chris Pogue, pictured, Chief Information Security Officer at the cybersecurity incident response and data security product company Nuix.
A quick web search will identify article after article describing data breaches, system hacks and security faux pas. These incidents happen every day, in every industry, on every continent, targeting every type of data that conceivably holds monetary value. It does not take a brain surgeon to see that whatever the cybersecurity industry has been doing for the past two decades has, very simply, failed. What critical information has eluded cybersecurity companies and prevented them from stemming the tide of data breaches?
A staggering 93pc of CIOs and CISOs say human behaviour is the biggest threat to their organisations’ security. At Nuix, we believe this missing link relates to human beings. Experience has taught us that in most scenarios, cyberattacks are largely preventable; the requisite knowledge and technology having existed for close to 20 years. Instead, what we see in the vast majority of data breaches is poor decision-making by the people responsible for the victim organisation’s security programme. These people either lacked the experience with regards to the steps that were required to implement adequate security controls or simply made the choice to not implement them. By ignoring the human element in cybersecurity, organisations have been fighting the wrong battle, with the wrong weapons for the past two decades. Organisations need to completely reassess the way they think about this issue and shift to a more human-centric approach. This is a step-by-step guide on how they can address the people problems of cybersecurity:
1.Realise there is a problem and that something needs to be done about it: Organisations cannot begin to address a problem that they can’t or won’t admit is actually there. That is why step one in every recovery programme is admitting that there is an issue and committing to take action. Transparency has become even more important following the recent approval of the European Union General Data Protection Regulation (GDPR), which will make it mandatory for all organisations that operate in the EU, or deal with its citizens, to report data breaches that involve the private data of EU citizens—usually within 72 hours.
2.Identify cognitive biases and implement a mechanism to overcome them: Cognitive biases are “bugs in our brain software” that can cause illogical decision making and poor judgement, which can ultimately lead decision makers to neglect the protection of critical information assets in their care. Through introspection, training and role playing, it is possible to retrain our brains to behave differently. This is going to take some serious mental and emotional maturity within the organisation as these biases will be present in every member of the staff, from the CEO down to intern. Organisations should expect tremendous resistance at this stage of the process, where organisational leadership will face the question, ‘Which is more important: your ego or the success of your organisation?’ Retaining the services of a professional executive coach or organisational change consultant can help employees to overcome any political and social upheaval that may arise within the company during this process.
3.The marriage of human intelligence and technology is the key to victory: Engineering out as many human intersection points as possible will reduce the opportunities for errors. However, technical people may get nervous about the word automation, as often automating manual processes is perceived as the potential for loss of employment. This is why it is crucial for organisations to clearly state that they are reducing human decision points, not eliminating them, knowing that the remaining intersection points will require enhanced decision-making capability from those individuals responsible for them. Organisations should also ensure the people working in areas where automation cannot replace human interaction be extensively trained and equipped with software that will act as an intelligence multiplier.
4.Share the lessons learnt: Organisations can learn and share valuable lessons about cybersecurity breaches. Following a breach, organisations should ask themselves, ‘What can we learn from this breach? How can these lessons improve the organisation’s security posture? When dealing with an internal incident, how can we use this experience to help others?’ While it’s true that when they are in the middle of trying to fix an urgent problem, the last thing organisations have time for is being a case study that someone else can learn from. It is crucial that they begin thinking beyond the impact to their own organisation and start to determine what can be learned from an incident can help others—and the organisation itself—to avoid a similar situation.
5.Hire security-minded employees: Security is everyone’s responsibility, which is why organisations should seek to employ people who can take direction, follow processes and procedures, and are less egocentric and more mission focused. In the past, the hiring process for technical jobs has mainly focused on whether or not the applicant already has the technical skills to perform the tasks required for the job. While this may seem logical, there are two decades of evidence to substantiate that this is a questionable hiring strategy.
Cybercrime is a human problem, and as such requires a human solution. Organisations should focus on providing the right kind of training and education, and on conducting ongoing threat simulations to ensure employees are prepared to fight the war against cybercrime. By getting serious about security and by using technology, people and processes to fight the cybersecurity war, organisations can reduce the number of opportunities for people to make mistakes, and will therefore be more successful than they have ever been in the protection of critical data.
