Looking back to the first Verizon Data Breach Investigations Report some 13 years ago, the leading causes of data breaches were phishing and malware.
Fast forward to the present. What are the leading causes of breaches? Phishing, malware, password compromises, and data misuse issues.
Consider these two sobering stats: In the last 10 years, we’ve quadrupled security spend. And over the last 10 years, we’ve seen a eight-fold increase in confirmed breaches.
So not only have we spent much more money trying to prevent cyber incidents over the last decade, we’ve fallen further behind. And we’ve failed to make a dent in the biggest causes of cyber breaches.
According to this year’s DBIR, 85% percent of breaches in 2020 involved human error – and nearly two-thirds of major data breaches are tied directly to human risk factors.
The security industry has some of the smartest, most dedicated people in the world, yet we’ve largely given up on employees. That becomes obvious if we look at the approaches the cybersecurity industry has been taking for reducing human error, which largely fall into three buckets: awareness and training; user and entity behavior analytics (UEBA); and incident response (IR). Here’s a breakdown of the shortcomings of each approach:
Awareness and training
Training content has evolved from 60 minutes of annual training to monthly bite-sized videos. This training content usually gets coupled with phishing simulations in the hope that it builds resilience by improving end user habits for detecting phishing emails.
In most security programs, this is one of the least funded areas of security, primarily because the results aren’t measurable. Until now. Some of our recent research shows that awareness training programs and simulations have little effect on reducing organizational risk. Further, there’s no correlation between these programs and the real-world decisions that protect a company’s vital assets.
User and entity behavior analytics
UEBA technology analyzes user and system behavior to determine anomalous and malicious activity. It’s typically used on SOC and IR teams to help find bad actors in a corporate network, system or application using the NIST Cybersecurity Framework’s categories of detect, respond and recover. The UEBA market has evolved and getting better as more competitors jump into this category. However, UEBA clearly focuses on IR and it’s not proactive in dealing with the protection of the workforce.
A huge part of incident response deals with employee mistakes, whether it’s compromised passwords, phishing, malware, mishandling of sensitive data, or lost laptops. A member of the IR team at Salesforce – where I led the security and engineering teams – once spoke for many when he told me: “All we do all day long is clean up after users. Roughly 90% of our job deals with their mistakes.”
I’ve witnessed this constant hamster wheel of alerts and incidents – as soon as one incident has been addressed, there are already several more that require a response. It’s one of the most stubborn problems in our industry. Instead of focusing so much effort on being reactive, we need to re-invest in being proactive. We need to get in front of breaches before they happen.
NIST’s Cybersecurity Framework guidelines of identify, protect, detect, respond and recover are designed as a continuous process. What security teams learn from their alerts and incidents in the detect, respond and recover phase are fed back into identify and protect to continuously improve their programs.
The data collected from these incidents can help us proactively improve workforce security, giving us great visibility into human risk. If we can understand every user and their impact on company security, we can remain proactive in our approach, moving away from a one-size-fits-all security program to a tailored one that includes personalizing feedback and orchestrating controls based on individual risk levels. Meaning, let’s lock down only the riskiest folks.
This new approach to workforce security takes a complete look at the human attack surface – the sum total of people’s actions, access, and security controls that impact an organization’s cyber defenses. By gaining visibility into user errors –
such as who’s most likely to get an account compromised, fall for a ransomware attack, or lose sensitive data – we can begin to manage it and deploy controls and policies appropriate to their individual risk.
With the state of workforce security today, we have nowhere to go but up. After the last 10 years of spending more money on security technology without a major reduction in breaches, we need to finally tackle this last mile. Companies can start by gaining visibility into their human attack surface. Visibility leads to action. And taking action on workforce security will lead to better security outcomes for everyone.
Robert Fly, co-founder and CEO, Elevate Security