Tech development and Human 1.0
26 August 2016 | 0
While Human 1.0 has shown itself to be a highly adaptable species, it does take a little time and a lot of help, usually in the form of education.
And it is exactly that point that was being made by a cybersecurity expert in advising how to tackle the aftermath of a hack.
“The consequences of an attack need to be communicated to users, not just in terms of the organisation and the law, but also in human terms to the humans involved”
Tyler Cohen Wood, having spent more than a decade with the US Defence Intelligence Agency as senior intelligence officer and deputy division chief for cybersecurity, now works with companies to figure what happened and batten things down after an attack, warns that hackers are increasingly going after humans as the weak point in an organisation, as security measures become ever more effective.
Hack the human
Cohen Wood points out that it is much harder to look for and exploit vulnerabilities in hardware, applications, platforms and operating systems than it is to simply trick someone into doing something that would allow an attacker access to an organisation.
This is not a new phenomenon, but it is an increasingly common one — one that needs to be addressed immediately.
Cohen Wood says that education is the best measure, with awareness programmes and training to ensure that users know what to expect and what must be done.
She makes good points about information restrictions that work on a need to know basis, and segregation to ensure that once in, an attacker doesn’t necessarily have access to the crown jewels immediately. Again, all of this is sagely advice. She goes on to emphasise the importance of executive buy-in too. C-Suite support is key to foster such initiatives and have security taken to the heart of the way that an organisation works.
However, an organisation is only ever made up of people and there are far more people at the lower levels than there are at the top. To truly address the Human 1.0 element of the equation, more than just education and awareness is needed. To truly tackle cybersecurity now, and tomorrow, user buy-in is necessary too, and arguably, harder to achieve than that from executives.
To have the average user invested to the point where they are vigilant and alert to threats, they must be convinced of the benefits of staying secure. They must be made aware of the fact that if they are the cause of, or a major contributor to, a breach, even through inadvertence, that this may be an albatross that hangs about their neck for many years to come.
Not only that, but in the event of a major breach, especially if made public, such as under the new disclosure rules in the GDPR, the very organisation may be under threat, and with it heir job.
The consequences of an attack need to be communicated to users, not just in terms of the organisation and the law, but also in human terms to the humans involved. This is especially pertinent when so many of the successful attacks are now based around information gathered through social media. Users can have their personal information, as revealed through social media, ruthlessly used against them in a carefully crafted targeted attack. That alone can be quite a harrowing experience.
I am not advocating the fear approach, but realistically portraying what can happen in such instances will surely galvanise users into a more responsible behaviour mode when the potential consequences, across the board, are fully described.
And finally, another issue worth mentioning from the human side is victim blaming. Both from the organisation and the individual perspective, victim blaming is a negative, but all too frequent, response to a cybersecurity incident. As has been shown in other areas of law enforcement, victim blaming can lead to under or non-reporting, as well as a reluctance to give details of incidents to support full investigation. If someone feels they will be blamed, they will not volunteer, and a potential opportunity for early identification is lost.
So while Cohen Wood makes some good points about handling a hack, the human element, I would strongly argue, needs more work from the human perspective to keep people and organisations safe in this and the next cybersecurity landscape.