Welcome to the second part of the series on Cybersecurity: The Human Factor. In Part 1 we talked about the fact that attackers are constantly considering the human factor when developing and executing attacks. In this part we are going to examine the human factor from the defender’s perspective and explain why this creates a more secure environment.
As mentioned in the previous article, even nation state actors and Advanced Persistent Threats (APT’s) have real people behind them and these people are operating on all too human motivations such as financial gain, revenge, or to weaken others. As a defender it is vital to remember the human factor on the employee side of things – because the attackers haven’t for one moment forgotten that behind each defense is a human being with all the inherent shortcomings. Successful attack campaigns leverage this fallibility in order to succeed. This is exactly why phishing is such a successful attack venue for malicious actors.
To better understand your employees, it’s important to examine the motivations of the people within the organization. For most people, this motivation is to perform their job. Whether that comes from a desire to do a good job, from financial motivation, or from fear of losing the job does not matter. What is important is that they wish to perform their tasks within the organization as quickly and with as little pain as possible. This leads to the next very human aspect of your employees that it is important to understand: laziness. Whether dressed up as efficiency, or disguised as reduction of obstacles, ultimately people want to accomplish their goals and will do anything they can to reduce the actual headache associated with accomplishing that goal. By understanding that humans are inherently lazy you can examine your current security program through the lens of a user and identify where it creates unnecessary obstacles to performing daily tasks. I.e., is the implementation really seamless? By doing what you can to integrate security into the organization without hindering employee’s workflow, you are more likely to have an organization that responds positively when actual effort is required, such as getting employees to report phishing emails.
One common mechanism that is included with every operating system and most network devices is Access Control Lists (ACL’s). It is considered best practice to divide personnel roles based on what they need access too. For example: the sales team should have no need for administrative access to their workstations. By not giving them administrative access, you are limiting the options for any hacker and the potential damage to the organization in the event that the user makes a mistake (such as downloading a malicious attachment from a phishing email).
This is just one small example of using security to reduce the shortcomings of human beings, ensuring that even if they fail, the damage is limited in scope. One of the advantages of ACL’s is that – if properly set up – they are invisible to personnel performing their day to day tasks.
At the end of the day, security isn’t about technology in and of itself. Technology is a tool that is used to help us accomplish the goal of protecting an organization from threats and hereby reducing its risk. This technology can be better utilized when you consider both the security needs of your organization as well as the human factor of the equation. By understanding that attackers are humans as well with all too understandable motivations and goals, you can better identify places in your security that they might target. By reducing the chances for employees to make mistakes through properly implemented technology, you increase the overall security of the organization. By implementing this technology as seamlessly as possible, you reduce the headache of employees trying to perform their daily tasks and the chances of them looking for a workaround to your security measures in order to get their jobs done. Security isn’t just about technology, it’s about people too.