Use IT or lose IT
The great virtue of the general purpose computer, particularly the networked computer, is its flexibility, but this is also its greatest flaw. To call computers ‘broken by design’ is only a slight exaggeration, and the development in the consumer space of locked-down devices, such as Apple’s iOS phones and tablets, shows precisely where the problem lies: users.
The price of flexibility means openness, and open systems will always be vulnerable to attack following misuse by users. And this is precisely the problem: the best security measures in the world will fail if users routinely breach security policies.
Ivan Quill, pre-sales technical architect at Integrity360, says that this is not unknown in industry.
“What we see is that there is more of an acceptance that the human is the weak point. We can put in more defences, but the human remains the weak point,” he said.
Quill says that one often overlooked aspect is that as the complexity of the hacking threat increases, specialist knowledge is needed
“A few years ago, any clued-in person could work it out,” he said.
The professionalisation of cybercrime means that skill levels have increased on the attackers’ side, requiring a commensurate improvement on the defensive side.
“They would look at an incoming e-mail and see a link in it, but the dodgy URL would give it away or perhaps the language would be wrong. That’s all cleaned-up now.
“Now, even myself, I find it can be very difficult,” he said.
The answer, he says, is regular, but incremental training.
“In terms of training, the only thing is to continually keep doing it, to bring it up a bit at a time. It really comes down to constant, constant training. In my view it’s about repetition,” he said.
Security and compliance
Although related, security and compliance are arguably separate issues, but in both cases user awareness training has a role to play in protecting the business and its customers. And, of course, flawed security will soon lead to data protection compliance issues.
“There’s two aspects to security: one is protecting the data and systems—and reputation—from cyberthreats. The other is the legal side,” said George O’Dowd, managing director of Novi.
“When you look at that, the mechanics of how you achieve it, one way is through technology: putting the right firewalls, patch management and so on in place. The other is processes and people.”
The two need to be properly married, he says, particularly in light of growing compliance issues.
O’Dowd says that if you stop to think for a moment, it soon becomes clear that confidential data is handled in a cavalier fashion.
“You check into a hotel and you give them your passport to photocopy or scan. What happens to it? Where is it stored? People need to be aware of it. Is the receptionist aware that it is very sensitive information?”
Surprisingly simple things can be done, he says, in order to mitigate risk; the problem is that they will not be done if users do not think about them.
“Say you work in accounts; if somebody sends you a notification e-mail saying ‘We’ve changed our bank account details’, pick up the phone and check with them.
“To some degree, the technology fails them [but] what I [also] see is an element of breach fatigue creeping in. Users are sick of hearing it. It all boils down to the business owners: users need to be constantly trained, and made more responsible. It can’t just be: ‘It’s IT’s job to keep us secure’. It’s an end-to-end thing,” he said.
In the here and now, however, questions remain as to whether user awareness training is being taken seriously—and not just in Ireland.
In fact, in 2016 the ISC 2 Global Information Security Workforce Study found that there has been a declining emphasis on user awareness training over the years.
One suggestion is that the reason for this is that, given the global skills shortage in IT security, the focus has simply shifted to getting the right technologies and policies in place. Still, this poses the question: what use is the latest technology or the right policies if users remain blissfully unaware of them?
In light of this, it should follow that user awareness training is front-and-centre in any businesses’ security and compliance policies, and yet it rarely is. A further problem is that, even when training is provided, bad behaviours creep back in.
One problem is that user awareness training is, on the whole, tedious.
As with most IT tasks performed by non-IT staff, there is a general sense that security is someone else’s problem. Add to this a pervasive — and growing — sense of security fatigue and you have a clear recipe for breaches.
Targeted and relevant
Stephen Scott, senior manager at BSI Cybersecurity, says that a key objective is to ensure that the training is relevant and targeted.
“For example, with the GDPR, anyone who handles personal data is mandated to do a training course on an annual basis. For a normal, say bank teller, online training would suffice, but as you move up the responsibility chain the training needs to be commensurate with the role,” he said.
Scott says that the best way to think about security policy is to focus on the business objective—compliance—and then break the security itself down into three types.
“You need administrative controls, you need management controls and you need technical controls.”
Staff should be clearly informed that breaching policy will result in censure, he says.
“A management control would be a repercussion for doing something that runs counter to company policy,” he said.
But what of the fact that, oftentimes, people simply do not want to go on training courses, or, if they do, they may not pay attention?
Stephen Burke, founder and chief executive of Cyber Risk Aware says that the approach to user training has hitherto been the problem.
“It has tended to be once a year, very long-winded, with people playing Candy Crush. The content and quality was [on the whole] poor. It was [both] too general and too boring. People would switch off after eight or nine minutes,” he said.
“The whole reason people would do it is to tick the box.”
For Burke, the answer is a complete re-think of how training is provided, with an emphasis on training that is simple, short and doesn’t come to be seen as a tedious distraction from work.
“The whole company has been developed around ‘how can we do small and often’, and do it in ways that people can use in their personal lives,” he said.
“Our security videos never last more than a minute and our courses never last more than eight [minutes], you can deliver a course over twelve to 24 months, delivering a topic over three or four sessions.”
The goal is, he says, to re-insert human intelligence into IT processes.
“I’m sick of people talking about artificial intelligence and machine learning, and all the jazzy new technologies out there. It’s all tech-tech-tech… We are people and we are interacting with complex networks: they’re neural things, they’re living and breathing, and computers, too, are doing their own things. Humans are involved, and this leads to human error,” he said.
It is a view shared by the so-called ‘people hacker’ Jenny Radcliffe.
Radcliffe, who specialises in understanding human interactions, says that recognising the potential for human behaviour to become a problem is essential, but this alone is not enough.
“There’s a lot of talk in security [circles] about ‘people being the weakest link’, and that kind of thing. The problem is that doesn’t really help when you want people to behave more securely or become a link in the chain,” she said.
“Most attacks, even phishing, do involve a human. [Typically] we keep the human and the technical side separate, but, in fact, we need to bridge that gap.”
Radcliffe’s strategy is to get people to think in terms that they can relate to from their own lives, and from the material world rather than the digital.
“Security is quite boring and its inconvenient. We shouldn’t underestimate the power of people ignoring things. There is also security fatigue. People are fed-up with being told, and it isn’t working [anyway], as people still click on the links and fall for the scams; we really need engage with people and get them involved.
“Often, I’ll say to people ‘this is the type of scam; what would work in your workplace, how would you deal with it?’ If you don’t get the imagination going and have people feel like they’re part of the solution [then] it won’t stick. If you want it to stick you need to get them involved,” she said.
“People can imagine a con artist, or someone trawling their social media for clues about them. When they are thinking like that, it’s easier to get them to think in a more secure way.”