Adopting a people-centric approach to cybersecurity
In October 2023, the CISA-led Cybersecurity Awareness Month celebrated its 20th anniversary. The annual event which premiered in 2004, announced a new cybersecurity awareness program ‘Secure Our World’ (1) to commemorate the milestone. The program aims to embed behavioral change in users across the US in terms of online behavior. The program offers four basic steps that users can follow – from using strong passwords, turning on Multi-Factor Authentication (MFA), recognizing and reporting phishing, and updating software systems.
Why the attention
With almost 80% of the world’s population using the internet or engaging in some online activity (5), and an increasing number of user lapses, it is little wonder that CISA has chosen ‘awareness amongst users’ as the central theme for their campaign. A considerable number of data breach cases in recent times have been attributed to people-related issues like users falling for phishing scams, clicking on suspicious links, and generally following unsafe online behavior.
The examples are legion. The benchmark case perpetrated on tech giants Facebook and Google (4), involved a couple of employees being taken in by a phishing attack that resulted in a loss of USD 100 million (subsequently recovered). The head honcho of a UK energy firm (3) who fell for a deepfake call impersonating his principal, thereby triggering off a loss of GBP 220,000.
The role people play
Over the years, the role of people in cybersecurity has emerged as a major touchpoint. Many experts acknowledge that people are the first line of defense, with their vigilance and awareness. Some research papers have labeled people the ‘weakest link’ in the Information Technology landscape, ‘very likely’, despite security procedures, to expose vulnerabilities.
A claim of this kind would seem justified when one looks at where the user is situated. Most scams invariably originate with some interaction (or lack of it) by the user with the attack vector. But while vigilance and awareness shore up defenses, lack of them literally opens the doors for the attack.
Awareness however is only half the problem says SecurityWeek (2), summarizing the two problem areas as a lack of security awareness among users, and a lack of cybersecurity talent (6).
The complexity of the human interface
It is an inescapable fact that all cybercrimes, in fact, all crimes, are driven by human greed. Cybercriminals are also humans, with the exception that they capitalize on unassuming and uninformed users to perpetrate their crimes. Like users, they too rely on technology, albeit being better steeped in its use. But while greed is their sole motivator, their adversaries – the uniformed users – are driven by greed and other emotions (7) such as fear, curiosity, sympathy, and trust.
It is this range of emotions that can be addressed by awareness and employee training.
The role of training and workforce enhancement
CISA’s Secure Our World guidelines resonate with what the industry feels about user awareness. Both Government and organizations in the public and private space are doing their best to enhance awareness through legislation, best-practice implementation and user training. A trained workforce is always better equipped to respond with alacrity – for threat identification, appropriate action on suspicious activity, reporting of threats, and remediation. Basic training of users could take the form of:
- Inculcating the need for password management – with a special emphasis on creating and using strong and unique passwords
- Instilling the ability to recognize and ignore phishing links and suspicious emails/messages from unknown sources
- Preparing for the latest social engineering tactics including AI-generated deep fakes
- Reporting of unusual behavior of both computers and colleagues
- Following best practices for data management in the digital and physical mode
Training cyber professionals is also important. It is touted as one of the most important causes of the cybersecurity talent crisis as professionals are finding themselves ill-equipped to negotiate the mounting challenges of technology. It is recommended that organizations:
- Make cybersecurity training an ongoing mandatory exercise
- Partner with security technology vendors for product and applications training
- Invest and introduce smart working methods and automation to ensure cyber professionals concentrate on core cyber activities, and
- Adopt and leverage new-age technologies, including AI and ML
The role of technology
Cybersecurity has evolved considerably from its rather humble beginnings, becoming almost unrecognizable from its early days. Technology has been at the epicenter, with new developments arising at an incredible speed.
Most experts are advocating the following technology measures:
- Maintaining user rights privilege protocol
- Multifactor authentication (MFA)
- Unpatched vulnerabilities monitoring
- Software and application updating
- Data encryption
- Interfacing over VPNs rather than unprotected Wifi systems
- Identity Access Management (IAM) systems
- Zero Trust Architecture (ZTA)
- Integration of AI-based behavioral analytics
- AI and Machine Learning (ML) for threat detection, and
- Setting up data loss prevention, damage mitigation, and data recovery measures
The way forward lies in a collaborative approach
Experts are of the view that while user awareness will certainly help, a collaborative approach that involves technology management and user awareness is the answer. CSO Online succinctly calls it a ‘layered approach’ involving people, processes, and technology. Gartner’s top trends for 2023 (9) advocates that organizations strike a careful balance between technology adoption and human-centric elements if they are to stem the recurrence of cyber incidents. They suggest:
- Prioritizing the role of employees in the security design
- Moving away from the conventional approach to technology-driven programs, by placing equal emphasis on people management and technology in the program
- Shifting IT-related centralized functions to business lines, centers, and individuals
Final words
Adopting a human-centric approach to cybersecurity programs is not new to the industry. In 2015, thought leader Gartner (10) asked the burning question as to whether organizations were ready to implement a People-centric Security System (PCS). Not many had taken cognizance then – with only an estimated 5% of respondents having successfully implemented the concept in their organizations. Five years later, the figure was up to 30%, indicating a dramatic change in the mindset of CISOs and CIOs!
That things are changing as to how organizations are viewing people in the context of the cybersecurity framework, is borne out by these statistics alone. And yes, it certainly resonates with CISA’s newly launched Secure our World program.
References:
- Cybersecurity Awareness Month | CISA
- Addressing the People Problem in Cybersecurity – SecurityWeek
- The Dark Side of Technology: Deepfakes and their Threat to Cyber Security | Aurora (aurorait.com)
- The Endless Need for Employee Education and Awareness in Cybersecurity | Aurora (aurorait.com)
- Cyberbullying: The Real and Present Danger | Aurora (aurorait.com)
- Cybersecurity Talent Crisis Amid Shortages, Burnout, and CISO Resignations | Aurora (aurorait.com)
- Social Engineering at Work | Aurora (aurorait.com)
- The Human Factor in Information Security (isaca.org) – for additional reading on molding human behavior
- Humans Needed Cybersecurity, Gartner | Silicon UK Tech News
- Have You Ever Considered A People Centric Security Strategy (gartner.com)
