On May 14th I attended the Tietoturva 2019 seminar – #tietoturva2019 – in Helsinki, Finland. The event was held in a cinema megaplex – hence the name of this post! – and hosted by the cybersecurity branch of Traficom and the National Emergency Supply Agency.
I was very pleased to see how much time was reserved for networking, and how openly people from across the industry were sharing their challenges and visions of the future.
It is said that in cybersecurity, the bad guys are always a step ahead. While true, when it comes to actual exploits we (as the good guys) do have some aces up our sleeves. Defensive cybersecurity flourishes on networking and openly sharing information – traits that are hard to find on the offensive side, especially when it comes to state-level actors.
The seminar had three main themes:
- The emergence of 5G as the first commercial cells are now online in Finland, and the first open 5G hackathon in 11/2019 (held in Oulu, Finland 5gfwd.org).
- The importance of practising cybersecurity procedures instead of merely writing them down
- People in cybersecurity
People in cybersecurity
This blog post is about the third theme. Countless headlines paint people as the weakest link in security. However Dr. Jessica Barker (@drjessicabarker), co-CEO of the cybersecurity consulting company Cygenta, gave a very interesting keynote (see featured image above), proposing an alternative view to this widely held belief. It is true that humans – especially ‘insiders’ – cause the majority of security incidents, but insider accidents pose a more serious threat than insider maliciousness. Malicious insiders can do great damage, but are few in numbers. Innocent insiders who accidently compromise security, due to being victims of a phishing attack for example, might individually cause less damage, but their numbers are vast – potentially anyone out of the entire workforce of a company and all of their subcontractors!
The most efficient trigger for phishing is the same reason gossip magazines can survive year after year: curiosity. For example, in a country where talking about salaries is taboo, a very effective bait is a USB stick dropped on the parking lot labelled ‘salaries and bonuses’. Personnel in key positions are likewise targeted with another effective trigger: reputation. The CFO or CEO might be targeted by increasingly complex and believable sextortion swindles, which do not aim to blackmail money directly, but insider information that can be later sold directly or utilised for insider trading.
Avoiding security fatigue in businesses
People are being bombarded by automated phishing attacks daily, and more targeted attacks are on the rise. What gives us the strength to oppose the onslaught day after day?
The majority of people think that bad things, like getting phished, always happen to other people. Around 80% of people, four out of five of the people sitting in the meeting room, are hardwired to be optimistic. Lecturing about the gloomy facts repeatedly will not help – it will just annoy them.
Closely related to this is the approach often taken by upper management: risks are best managed by telling others not to do A and not to do B. When the IT department becomes the ‘Department of Saying No’, the security fatigue is already terminal in the organisation.
Instead of doing morbid metadata analytics about successful phishing attacks (if you’re interested, mid-Tuesday and mid-Thursday are the best times for phishing attacks), what if we IT pros stopped looking for problems for a single day. Instead of looking for things that do not work, would we be able to see and acknowledge that the most recent victim of phishing in our organisations might have avoided the bait hundreds of times before. We know that any complex machine will not work perfectly 100% of the time. Why do we keep demanding that humans achieve perfection then? Wouldn’t 99.9% do for starters?
The upper echelon of cybersecurity companies typically consists of people with technical and business backgrounds. Their values are reflected throughout the company, resulting in an enterprise that tries to solve human issues with technology and numbers. If security doesn’t work for people, it doesn’t work.
Check out my previous post on: What is Phishing 2.0 and which countermeasures can organisations use against it?