Understanding motivation is critical to mitigating cyber threats

Companies should aim to enhance the privacy of employees while protecting corporate data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Employ­ees often are seen as the weak­est link in cyber­se­cu­ri­ty. Breach­es by hack­ers may hit the head­lines, but human error (or intent) is respon­si­ble for the major­i­ty of attacks.

IBM’s 2016 Cyber Secu­ri­ty Index report­ed that insid­ers car­ried out 60 per­cent of all attacks. Three-quar­ters of these attacks were mali­cious, and a stag­ger­ing 25 per­cent of breach­es were accidental.

Richard Ford, For­ce­point Secu­ri­ty chief scientist

I took the oppor­tu­ni­ty to sit down with Richard Ford, chief sci­en­tist at For­ce­point Secu­ri­ty at Black Hat 2017 in Las Vegas. The notion of under­stand­ing human behav­ior and its role in cyber­se­cu­ri­ty was the top­ic of our dis­cus­sion, and you can find the key take­aways below.

Look at the why, not the what. We’re great at focus­ing on what is hap­pen­ing with­in our net­work and cap­tur­ing every sin­gle event. What we’re bad at doing is talk­ing about the why. This often is much more sig­nif­i­cant. It’s time com­pa­nies think about what the hack­er is try­ing to accom­plish. Why did that file get moved? Why did that data loss pre­ven­tion (DLP) event occur? Mit­i­ga­tion depends on the why. You’d mit­i­gate an acci­den­tal data breach very dif­fer­ent­ly than for an inten­tion­al one. When com­pa­nies move toward the why, they can start to mit­i­gate much more effectively.

Reduce the fric­tion caused by IT secu­ri­ty. A lot of secu­ri­ty mea­sures aren’t suc­cess­ful because they cre­ate fric­tion between users. Cur­rent­ly, we see security’s role as pro­tect­ing the busi­ness. In the future, we will see it as a way to enable busi­ness to be done safe­ly. For exam­ple, to stop restrict­ed files from leav­ing com­pa­ny servers, most firms would turn off uni­ver­sal ser­i­al bus (USB) access. But that cre­ates fric­tion. Instead, the file should be seam­less­ly and silent­ly encrypt­ed so that it will only decrypt if it is loaded onto anoth­er com­pa­ny device. It’s the same lev­el of pro­tec­tion but with far less fric­tion. The more seam­less secu­ri­ty is, the more peo­ple will buy into it.

Make pri­va­cy a first-class cit­i­zen. Too often, com­pa­nies send a bad mes­sage by giv­ing the impres­sion that they don’t trust their employ­ees. Secu­ri­ty and pri­va­cy should be a ben­e­fit to the employ­ee, not a neg­a­tive. One way com­pa­nies can achieve this is by being open with employ­ees. When employ­ees under­stand what’s hap­pen­ing, they under­stand why it’s pro­tect­ing the com­pa­ny. Anoth­er is by anonymiz­ing the data in a way that pro­tects an employee’s per­son­al infor­ma­tion but still con­tin­ues to pro­tect the com­pa­ny. When done right, employ­ees’ pri­va­cy should be pro­tect­ed and so should the company’s data. You shouldn’t do one at the expense of the other.

For a deep­er drill down, please lis­ten to the accom­pa­ny­ing podcast.

For more about human behav­ior and data breaches:
Why study­ing human behav­ior could be the key to secur­ing networks
Look to human nature for con­tin­ued suc­cess of phish­ing attacks
Wet­ware: Peo­ple are the prob­lem in count­less data breaches