As anyone who reads our weekly blogs on a regular basis will know by now, something like 94% of malware in the form of phishing and impersonation attacks is delivered by email and 88% of data breaches are caused by human error.
We all know what happens. A legitimate-looking email from a trusted client or supplier will arrive in the employee’s inbox with a link to an invoice or a password reset or something of that nature. The well-meaning employee clicks the link which then installs malware, freezes the system and either a ransom is demanded to unfreeze the system (usually in the form of bitcoin), or sensitive data such as user information, log-in credentials or payment details including names, addresses and credit card numbers is harvested.
It’s nothing more than a numbers game. If an attacker sends out hundreds of thousands of fraudulent emails, he or she can expect a small percentage of recipients to click the link, and that’s enough to cause catastrophic repercussions on businesses.
So when you can get a firewall to protect your network, and EDR to protect your devices, what do you get to protect your people?
Who Is The Weakest Link?
News about state-sponsored hacking and massive attacks compromising hundreds of millions of email accounts or credit card details or social security numbers is obviously a lot sexier (and much more newsworthy) than a junior in the accounts department clicking on a link they shouldn’t, but is that justification for investing large amounts of money in cybersecurity?
Yes and no. To err, as Alexander Pope correctly pointed out in his Essay on Criticism, is human, but instead of apportioning blame, Tim Fitzgerald says that ‘In general, not only should we be talking to our senior executives and boards more clearly about where real risk exists – which for most companies is the human layer – but we also need to be doing more to help these people combat the problem.’
He goes on to say that it’s rather unfair to see employees as the weakest link in the cybersecurity chain. At Arm, they try to look in the mirror and say ‘what are we not providing our employees to help them avoid these types of scenarios?’
By taking a ‘people are people’ view, the direction of thought should NOT be that employees don’t come with good intent, that employees don’t want to be good at their job, that employees don’t take shortcuts to get that extra moment of productivity. It should be that every employee genuinely wants to do a good job for themselves and the business and it’s up to the managers to give them the tools and the knowledge base they need not only to do a good job but to recognise where threats come from.
Fundamentally, Tim Fitzgerald suggests that the CISO’s role in what he describes as human security is a mix between a sociology and marketing experiment. ‘We’re really trying to change peoples’ behaviours in a moment.’ Not their personal viewpoints of course, but trying to influence behaviour to get people to make the right decision in a particular moment.
‘Can we make responsible security decision-making part of everybody’s job?’
Empowering Employees, Not Pointing Fingers
One of the biggest challenges that businesses face, especially with the amount of data produced and stored, is the sharing of said data.
For security professionals, it’s of very little value to say that employees are an intractable problem and therefore businesses will never get ahead of the curve. The value lies in ensuring that employees are mobilised as part of the overall cybersecurity defence mechanism which in turn makes CISOs rethink whether or not they are serving their staff correctly.
‘I’m an optimist, so I genuinely believe that the average employee is trustworthy. I think if you give people the opportunity to make a good decision and make the easiest path to get their job done the secure path, they will take it. That is our job as security professionals.’
Using Machine Learning To Enable Human Layer Security
As a world leader in enterprise-level email security, Tessian’s Human Layer Security develops context about whether or not something that someone was doing was either atypical or perhaps just part of a bad process. It allows CISOs to establish a sense of what they’re doing is causing risk and while it doesn’t require chapter and verse, it allows them to learn – using the technology – and alongside the actual people what normal patterns of behaviour look like and to intervene when necessary.
It will come as no surprise that most employees spend most of their time on email (and therefore where the majority of the risk comes from) and the tech is so much more than ensuring someone hasn’t just ‘fat-fingered’ an email address or sent a malicious file where it wasn’t supposed to go. It’s more about learning how people are using email and creating moments in time to connect with them.
The Future Of Human Layer Security
According to Tim Fitzgerald, the key is, as it usually is with this sort of thing, in working together. ‘Can we start to mesh together what we know about the technology and the machines with real human behaviour?’
Not only will it help CISOs to find the bad guys they know for sure are there, it becomes proactive (staying one step ahead of the curve and predicting where the risks are) rather than reactive (waiting for an event to happen before anything is done), also known as the holy grail.
Contact us today on email@example.com or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or what’s better, Netflix, Amazon Prime or Sky?