The Human Factor: Five Misconceptions Concerning Cybersecurity

The latest installment of Microsoft Office’s Modern Workplace webcast focused on the human side of cybersecurity.  On hand were two noted panelists to discuss this emerging angle of cyber preparedness.  Dr. Jessica Barker, Cyber Intelligence Advisor, and Phil Ferraro, CISO at Nielsen, highlighted that social engineering is nearly always leveraged in cyber-attacks.  In fact, the webcast panel stated that 95% of all cybercrime emanates from some form of a breakdown of the interaction between humans and technology.

While the human factor can be viewed from two sides, such a system misconfiguration or failed patch management, the most prominent faults from the human side arise from users simply clicking on links that should be avoided.  Thus, cyber criminals have played against our better natures by using psychology to manipulate us into taking actions that are detrimental to technical systems.  The discussion focused on ways in which cyber awareness training can be used to mitigate threats.

The myth that technical answers can respond to and defend against every cyber-attack was directly challenged by the panel.  As a result, five key points were given that challenged the belief that technical solutions can stand alone against a cyber-attack.  These five cybersecurity myths clearly involve shortcomings or misconceptions in human thinking.

  1. Cybersecurity is an IT function. It is safe to say that this was the overarching theme of the webcast.  The panelist encouraged end users to think of cybersecurity as a risk to the overall course of business rather than simply viewing it as the realm of the IT department.  Simply put, everyone has a role in advancing digital security.
  2. We’ve never had a breach, so we never will. This challenges the mindset of end users to think in terms of an ongoing defensive cyber posture. There’s no room for complacency in cybersecurity.
  3. We’ve invested a great deal of money, so we are secure.  Surprisingly, money is not always the answer.  In fact, there are many best practices to be employed that cost nothing to implement.  One such item is simply to pause and think before you click.
  4. We’re 100% compliant, so we must be 100% safe.  Compliance should never be confused with complete security.  Satisfying government mandates does not always equate to a hardened defense on the cyber front.
  5. We’re small – no one will come after us. Flying under the radar is no longer a sound strategy, as hackers have recognized that small often means fewer defensive measures are in place.  A short amount of research will indicate that SMBs have become ripe targets.

If you missed the Modern Workplace webcast, you can view it here. New episodes also air frequently. You can reach the panelist via Twitter: Dr. Jessica Barker, Cyber Intelligence Advisor @drjessicabarker and Phil Ferraro, CISO, Nielsen, @philferraro914.

Please note: this is a Microsoft Office-sponsored post.

Kenneth Holley, Founder & CEO (@kennethholley) - full bio.

The Year of the Human: Merging Technology and Cyber Education

If you’ve ever been to a Chinese restaurant with paper placemats or just happen to be an amateur authority on Chinese folklore, you probably know that 2017 is the ‘Year of the Rooster’.  Comparatively speaking, if the world of technology had astrological divisions, we would discover that 2017 is shaping up to be the ‘Year of the Human’.  If we can learn anything about data security from our lucky rooster friends, it is their propensity towards resourcefulness and frank discussion - that may help us collectively during this ‘Year of the Human’.

Regardless if you’re a rooster, a rabbit, or a rat, if there is one thing that 99.9% of us hold in common it is our mutual dependence on technology.  Hopefully, you’ve seen the signs of the times and know that cybercrime is a serious threat to both our personal and business data.  Virtualized criminals have had the capacity for some time to wreak havoc and lay pillage to our data without having to depart from their own familiar surroundings.

Thus, cybersecurity has evolved into a cat and mouse game of one-upmanship, where depending upon one’s allegiance, either side can be proactive or reactive to developing threats.  For the good guys, despite our best efforts in attaining success and security, definitively safeguarding data remains an elusive and ongoing technological goal.

Enter the ‘Year of the Human’!  As cybersecurity experts rightfully pivot and adapt to ongoing cyber threats, we have absorbed the fact that firewalls and endpoint security may never be wholly adequate on their own in securing our data.  After all, human interaction with technology is both its point and inevitable.  Just as technology is a tool for humans, security itself must account for and adapt to the inevitability of human error.  In response to this reality, cyber awareness training, what I like to call a behavioral firewall, becomes an obvious necessity that coincides with our best technological efforts to combat digital crime.

Through social engineering which results in ransomware – fueled by our propensity to click on links we shouldn’t – keeping your data secure becomes even more challenging.  Security teams can no longer afford to rely solely on their technical toolkit to keep your data safe.  Five years ago, Techworld.com reported that 91% of cyber attacks began with a spear phishing email.  There are two truths to be gleaned from this report.  First, the problem has not improved with the passage of time.  Second, for these attacks to succeed someone had to click on something that was best avoided.  Thus, we must realize that our best efforts in achieving broad security must encapsulate both technology and cyber awareness training for humans.

In the end, it doesn’t matter what your sign is, because we hold our humanity in common.  We all make mistakes, and if learning to avoid common missteps hastens us to enhanced security, then let’s embrace the ‘Year of the Human’ and train ourselves to be hardened targets against the worst of human behavior.  Together, we will learn that a well-rounded security structure is the combination of technology and education which reduces complexity and builds confidence in our combined efforts.

For more on the human element of cybersecurity, I would like to encourage you to register for Season 3, Episode 7 of Microsoft Office’s Modern Workplace webcast series, which airs on March 7, 2017 at 8 AM PST / 4 PM GMT.

Please note: this is a Microsoft Office-sponsored post.

Kenneth Holley, Founder & CEO (@kennethholley) - full bio.

It Can Happen to You: Preventing Data Breaches

Call it the basics of individual psychology, human nature, or for those that still cling to it, wishful optimism, humanity tends to suffer from an “It won’t happen to me” syndrome.   Of course, we all know that this rosy malaise and the potential danger it presents to us as our confidence morphs into overconfidence and hubris.

Despite our best intentions and positive thinking, negative events do transpire from time to time, both personally and professionally.  We must additionally acknowledge that these events range from the inconvenient to the catastrophic.  While I would never suggest that we exchange our optimism for the doldrums of negativity, this prospective flaw within our temperament should push us to preparedness.

As you might expect, cybersecurity is no different in this regard.  After years of publicity, heightened awareness, and headlines, it is likely safe to say that most companies do not believe a data breach will happen to them.  It is always someone else’s problem.

The recent Office Modern Workplace webcast series explored the development of cyber intelligence and preventing data breaches from a perspective of pro-activity.  The content of the live event (recorded, if you weren’t able to make it) expertly reveals that there is a much better place to operate between the bookends of blissful ignorance and certain doom.  Thus, two leading CISOs who’ve been in the cyber trenches for some time dispensed actionable advice.

Regardless of size and focus, every company must develop a culture of security awareness.  This point requires that those responsible for cybersecurity play an active role in shaping the culture of their organization.  This includes educating executives on threats and security practices, learning from experiences and hacking incidents, no matter how trivial they may be, and demonstrating tangible technological advances from your firm’s investments.  When these steps are implemented and promoted, a culture of realistic preparedness can rise out of an environment of unawareness and naiveté.  The takeaway here is that cybersecurity cannot be solely the responsibility of one person or department.

In creating a security conscious culture, the Office Modern Workplace panel acknowledged these environments will not mature without a plan, which means that employee education must be foundational to this process.  This theme involves investing in one’s team to build a common community with security and cyber awareness in mind.  Essentially, without education, an “It won’t happen to me” mindset will remain the vulnerable status quo.

Finally, it is revealed that threat intelligence is the must-have missing piece to an increasingly complex security puzzle.  Part of the above-mentioned psychological syndrome involves sticking one’s head in the sand and hoping for the best.  Via cutting-edge threat intelligence, Microsoft Office has created a solution which anticipates breaches by looking forward, reading technical tea leaves, and providing a path of avoidance and recovery when what we don’t want to happen, happens.

Yes, a breach can happen to you, but you can maintain business continuity with proper preparation.  More appropriately, you can make a breach less likely by taking proactive steps toward the ever-shifting target of cybersecurity.  Our mindset must evolve from “It won’t happen to me” to “It may happen to me, so I’d better be prepared.”  In doing so, we can work to keep that which is inconvenient from becoming catastrophic.

Vanessa Pegueros, CISO at DocuSign and Mike Convertino, CISO at F5 Networks participated in the webinar discussion on February 14, 2017.  The full presentation, "Cyber Intelligence: Help Prevent a Breach" can be found at modernworkplace.com. You can follow the presenters on Twitter: @vrpegueros and @F5Networks

Please note: this is a Microsoft Office-sponsored post.

Kenneth Holley, Founder & CEO (@kennethholley) - full bio.

While Nero Fiddled: Practical Advice on Preventing Data Breaches

In 1736, house fires were a dangerous epidemic for early colonial Philadelphia.  In fact, solving the problem of quickly built, slip shod wooden structures becoming a conflagration of ember and ash was a pressing dilemma.  At the time, Philadelphia’s most famous resident, Benjamin Franklin, organized the first fire department within the city.  Nearly 20 years later, Franklin spearheaded the development of what we today refer to as homeowner’s insurance.  All of this is the precursor to a quote we all know, but may not attribute to Franklin: “An ounce of prevention is worth a pound of cure.”

It can be said that cybersecurity and data loss prevention is to us today what house fires were to Franklin and Philadelphia 250 years ago.  To wit, cybersecurity is a problem that no one has yet fully solved - leaving governments, enterprises, and the IT industry as a whole to search for the Benjamin Franklin of information security.

Whatever the ultimate solution to hacking and data loss may be, you can be certain that taking the steps necessary to prevent data theft is much preferred over working to recover from it.  While both sides of this battle present unique challenges, preventing the loss of data for thousands of customers doesn’t make national headlines – it’s the bad news that draws attention, and yes, even lawsuits.

While industry experts search for our pound of cure, here are some doses of prevention which just may save you from spending your hard-earned Ben Franklins on recovering from a hack and subsequent breach.

  1. Allow me to share three words with you: Training, training, training.  House fires don’t burn wood, they destroy homes.  Hackers don’t attack technology, they target people.  If those facts are true, and they are, then security starts with the people who use it.  As much as technology plays a role in cybercrime, social engineering plays a larger role.  We can say that both emphatically and empirically because today, email represents the most common attack vector.  It is our own inclination to click and to trust that opens our technology to an attacker’s flaming arrows.  The antidote is training, which keys users in to the tools hackers use and educates them to stop clicking and trusting every item arriving in inboxes and popping-up on screens.
     
  2. Yes, I am going to say it: We are still talking about passwords.  This may be the point that everyone knows, but few follow through on.  Suffice it to say, while recycling may save the environment, recycling your passwords isn’t very wise.  In reusing the same password time and time again, we are inviting account compromise.  The best practice is to use a strong, unique password for each site.  Yes, keeping track of it all is challenging, but there are many excellent password management solutions available. Choose one, so we can stop talking about passwords. Please!
     
  3. Lastly, secure your devices.  This step involves keeping operating system software up-to-date, implementing quality end-point protection, and deploying sound perimeter security.  Consider evaluating “perimeter in the cloud’ solutions such as zScaler.  I should add, don’t be afraid to find a trusted technology advisor to help you navigate the technical side of this maze.  For more help on this front, you can also visit StaySafeOnline.org.

For a more in-depth discussion on this topic, register for the Microsoft Modern Workplace webcast, “Cyber Intelligence: Help Prevent a Breach”, being held on February 14, 2017.

Remember, while Nero fiddled Rome burned, so complacency invites disaster. While cybersecurity and protecting your business may seem overwhelming, achieving a solid and ongoing security posture is possible with a logical and systematic approach.  As noted cybersecurity and data privacy attorney Shawn E. Tuma (@shawnetuma) frequently reports, “An ounce of prevention is cheaper than the first day of litigation.”

Please note: this is a Microsoft-sponsored post.

Kenneth Holley, Founder & CEO (@kennethholley) - full bio.