Soft and Chewy on the inside:How to Strengthen your Human Firewall
Office of Personnel Management, SONY,Target, Anthem. Most regular news readers will recognize these companies as the victims of successful malicious attacks culminating in data breaches of unprecedented magnitude.
But the majority of us are unfamiliar with the trials and tribulations suffered by the senior leadership of these corporations. Did they fully understand the threats facing them and the vulnerabilities in their corporate environments? Or did they misperceive the risks of being exposed in cyberspace?
In 2015 alone, over three-quarters of a billion financial records have been breached. The website InformationIsBeautiful.net delivers a not so beautiful infographic depicting the worldʼs biggest data breaches over the last 10 years. It reveals a billion records breached in that time period, beginning with the 2004 breach of 92 million records by a malicious insider at AOL.
Surely these incidents reveal some failures in technology, but many of the companies breached were “hard and crunchy” on the outside with state-of-the-art intrusion prevention systems, next generation firewalls and state of the art technical controls.
Like their peers, they never realized that machines cannot protect against the wiles of the human attacker.
Itʼs true - the machines of today cannot yet apply non-linear thinking to an incomplete picture to develop a reasonable hypothesis. Human analytical capacity via the “Human Firewall” is still the most effective weapon in a companyʼs security arsenal.
The breached companies all shared one common weakness: They were hard and crunchy on the outside - but “soft and chewy” on the inside. They were reliant upon technical or machine controls to protect their companies against human attackers.
Somewhere in the data breach equation, the human firewall failed. Invariably there were end-users who clicked the link, downloaded the malware, fell for the tactics of the social engineer, or inserted the infected USB drive. Some events, initiated by malicious insiders, were even ignored or simply overlooked by trusting co-workers.
The fact is, every company is either waiting for a breach to happen, or is in the middle of a breach they know nothing about. The aware leader knows that itʼs a matter of “when” the breach will occur, not “if” it will occur.
The question many companies need an answer to is: “How do we create a culture of security awareness that activates the human firewall of our end-users so they remember that they are the critical component to our security programʼs success?
The answer lies in the understanding of risk, vulnerability and threats by the senior leadership. Security culture is built from the top down. Like our children who do NOT do what we tell them but instead DO what they SEE us do, end-users follow the security culture demonstrated by their senior leaders.
Leaders must be able to correctly perceive risk and lead their teams in the conversation about “Where are we most vulnerable?”, “What are we doing about it?”, and “What risk are we willing to accept?”
Smart CISOs at some of the Fortune 500 and 100 companies are sending their awareness teams to brainstorm with their peers at the IASAP, a gathering of security awareness peers dedicated to sharing best practices in creating security culture.
For more information about this dedicated team of professionals who help organizations build a network of security awareness support resources, visit www.IASAPgroup.org.
Be CyberSAFE at Home,
at Work and at Play
: Internet users worldwide are investing millions in the latest and greatest antivirus software to protect their data from human attackers.
While they grow steadily “hard and crunchy” on the outside, they become “soft and chewy” on the inside as the human firewall fails and allows the attackers in. End-users have been victimized for billions of dollars in internet scams over the past decade.
As we anticipate the emergence of malicious Artificial Intelligence code, the truth is beginning to be revealed; a machine cannot provide adequate protection against a human or AI adversary. The community is in a unique position to ensure that our neighbors and our families are aware and protected against internet based threats.
CyberSAFE Certification training is a unique new class for the non-technical that offers attendees a certification in 4 hours.
It covers the Need for Security, Securing Devices (like smartphones and computers) and Safe Online Browsing.
Contact me for more information on Live or Virtual CyberSAFE training.