Behind nearly every cybersecurity incident there’s a person who was either unwittingly duped or with malicious intent breached an organization from the inside. But as the rich array of experts in the Awareness, Decisions & Devices: The Human Layer of Security track at InfoSec World 2020 can attest, it’s possible to boost awareness and spark the kind of cultural change needed to bolster human-based security.
As Malcolm Harkins, chief security and trust officer at Cymatic, says, people are the perimeter. Managers, developers and business leaders so far have not adequately protected the perimeters that are left, Harkins says, noting that hygiene – device, data and credential – has lagged usage models.
Current approaches for awareness, accountability, and discipline for users, he contends don’t work and may instead raise cyber risk.
Organizations can understand the perimeter, Harkins says, when they understand motives and the economics of the issue, frame risks better and understand control friction and design to use it properly.
Despite the resources companies have put into training employees and raising awareness, social engineering still works – alarmingly well.
Just why that's so depends on a number of factors. Six principles influence why people say yes – reciprocity, scarcity, authority, consistency, liking and consensus – according to Microsoft Cybersecurity Field CTO Diana Kelley and SecurityCurve Founding Partner Ed Moyle in their session, "The Psychology of Social Engineering, The 'Soft Side' of Cybercrime.
Organizations can leverage those same principles to raise awareness and thwart the effectiveness of social engineering, though. The duo identifies numerous ways to model the right behavior, including asking staff to commit to “security principles,” offer giveaways in exchange for “security commitment,” get senior management to provide a statement about security, cultivating “customer facing” behavior and “internal consulting” mindset and highlighting positive security behaviors among other employees.
Rex Sarabia, security awareness program manager at lululemon, offers an intimate look at how his company raised awareness in “How-to: Cybersecurity Awareness, Building an enterprise security awareness program from the ground up.” He speaks of the company’s ultimate mission to “elevate beyond ‘compliance’ to ‘culture.’”
And, again, despite investments, organizations find it difficult to respond quickly to incidents – when quick response is key to mitigating the damage – and cost – of a breach. “The faster a data breach can be contained, the lower the cost and impact to your business,” says Anthony Fox at F-Secure Countercept. Continuous response, he explains, can improve response by advancing incident response from a post-mortem scenario, enabling live containment and remediation, preventing attackers from accomplishing their mission and protecting business from the effects of a cyberattack.
But moving an organization in the right direction requires security cultural change, according to Fox, whose session, "Security Culture Change," will offer a recipe for invoking that change, including weekly posts, semimonthly articles, monthly phishing and follow-up comms, and quarterly events such as drop-ins, live events and S&P brown bags.
