Security

When IT doesn’t get it

Security is most reliant on users, not systems to work, says Billy MacInnes
Blogs
Image: Shutterstock via Dennis

20 May 2022

IT security. Sometimes I think that if I wanted to I could write about IT security every day of the year and still not cover it all. Not that I want to write about IT security every day, you understand, although I’m sure there are people who do. But it says something about the state of IT security that I could. To be clear, what it says is not good.

From a very simplistic point of view, you would be forgiven for believing that the more pervasive technology becomes in our work and our daily lives, the more insecure it makes us.

Take ransomware, for example. How on earth did we get to the point where an organisation, a bank, a hospital, a national health system even, can be paralysed and held hostage because someone clicks on a dodgy link in their e-mail? 

 

advertisement



 

When you look at it from the outside, it seems completely insane that so many governments, state bodies, semi-state bodies, financial institutions, businesses and ordinary people have made themselves so vulnerable and so open to being compromised merely by adopting technology more widely. Think of it in terms of cause and effect. If using more IT can make you more vulnerable to far more serious security breaches with potentially catastrophic consequences for your business, why would you willingly agree to spread it further throughout your organisation? 

Obviously, there are major benefits to be gained from using IT including greater efficiency, improved performance, better and more informed decision making, faster communication and reduced costs. But some of those enhancements also make things easier for criminals and malicious actors to damage your business. Let’s not forget, they’re using IT too and they’re getting a lot of the same benefits from it.

One of the biggest areas of vulnerability that those malicious actors target is where IT and humans intersect. Just a couple of days ago, for example, I received an e-mail with the headline Employee negligence revealed as biggest cause of business data loss. It concerned a report from Ponemon Institute and Tessian which found employee negligence accounted for 40% of data loss incidents over a 12-month period. 

The report revealed that e-mail was the riskiest channel for data loss in organisations (65%) and nearly three-quarters (73%) were concerned employees “do not understand the sensitivity or confidentiality of data they share through e-mail”. Almost a quarter (23%) experienced up to 30 security incidents involving employee use of e-mail every month.

Cyber criminals and malicious actors target the point where people and technology intersect because they understand that is an area of great vulnerability. Why? Because they are people themselves and they appreciate how to target fellow human beings who are using the technology so they can subvert it. Most people don’t understand that a lot of the benefits provided by the technology they are using are also potential points of attack. 

This isn’t their fault. If we take the e-mail example, it has become ubiquitous because it is such an effective channel of communication and so much faster than traditional post. But that is also where it represents the greatest threat. The difficulty is that, for the most part, people were sold the benefits not the risk. Also, because it’s a technology issue, they understandably expect those risks and threats to have been nullified and blocked by the technology itself or the IT department. They don’t really get why it should involve them.

To put it glibly, people who use technology don’t fully understand it and those who make the technology don’t fully understand people. That’s why IT security often isn’t just IT but more a case of ‘people using IT’ security. Or even, ‘IT not getting people’ security. No wonder there’s so much to write about.

Read More:


Comments are closed.

Back to Top ↑