The recent Capital One breach has highlighted a painful fact that many within the cybersecurity community continue to ignore: the human factor must not only be considered, but also actively accounted for in order to attempt to get ahead of human threats, both inadvertent and malevolent.
As we understand it currently, a trusted insider within Capital One’s hosting service leaked millions of pieces of customer data to the larger public. Technical misconfigurations are currently believed to be in play, but the larger motives for why the insider would have released this information to begin with are still being speculated throughout the community, with theories ranging from a “resistance” mindset to nation-state activities. While that larger narrative will continue to be discussed specific to Capital One – inevitably with expensive consequences – we should think more deeply about how this nebulous human factor continues to negatively affect the labourious and very expensive work put into securing an organisation.
Stanton, Stam, Mastrangelo, and Jolton (2005) stated that within an organisation, the humans – employees, contractors, third-parties – interacting with a cybersecurity program exist on a spectrum from positive to negative. Sounds like common sense, right? At any given point in time, you’ll have employees who are happy and energised, while others might be discontent, complacent or worse. Humans either bolster or negate the processes and technology that have been put into place within an organisation through their behaviors. Surely, if the technical controls which have flooded the market were doing the full job of mitigating these behaviors, we’d never hear of a breach, and the cybersecurity community would be quite dull, indeed – not the case. That said, how can we move those essential humans toward the positive end of the spectrum to be our “eyes and ears”, working to our benefit, no matter their daily role within the organisation?
Understanding the talent and motivation of humans who are interacting with your systems and data isn’t an overnight task, but it may be the most important thing you can undertake to mitigate the human factor. Training and awareness programs are almost passé, but think long and hard about whether your employees believe in the threats to your organisation. Do YOU believe in the threats to your organisation? If you honestly don’t, chances are good that your training program isn’t great at explaining them either. Employees who don’t understand the absolute necessity of cybersecurity and their active role in defense won’t take it seriously; it’s not their fault, they just didn’t know they were really supposed to make it a priority amongst priorities. I’m sure IT had it covered for them!
Further, what role DO they play? What are the behaviors you expect from them? What should they be looking for as an anomaly to report? Do they think you’ll actually hold them accountable if they don’t play that part? The latter might be the most critical, drawing the bright line between vigilance and malaise. Leaders who are visible and hold themselves and others accountable speak for themselves.
No matter what you’ve heard, no matter what you’ve been sold, there’s no technical silver bullet. Let’s get the right people doing the right things, hold those who don’t consistently accountable, and the technical solutions will become an excellent complement to our Human Firewall.