11 Oct 2022
by Lance Spitzner

Security Awareness: It’s Actually About Managing Human Risk (Guest blog by SANS Institute)

Guest blog by Lance Spitzner, Director, Security Awareness, SANS Institute #Cyber2022

Cybersecurity leaders, businesses, and the cybersecurity community will all tell you the same thing: people represent the greatest risk in today’s highly connected world. 

Organisations not only see it in their own incidents, but in global data sets. For instance, the Verizon DBIR, one of the industry’s most trusted reports, has for the past three years identified that people are involved in over 80% of breaches globally.  These incidents can be from people being actively targeted in phishing emails or smishing attacks to people making simple mistakes, such as IT administrators misconfiguring their cloud accounts and accidentally sharing sensitive data with the world. 

So, if people represent such a high risk, what should we be doing about it?

The problem with security awareness lies in how we treat employees

The traditional approach has been (and often continues to be) to throw more technology at the problem. 

If cyber attackers are successfully phishing people with email, organisations will deploy security technologies that filter and stop phishing email attacks. If cyber attackers are compromising people's passwords, businesses will implement multi-factor authentication (MFA). The problem is cyber attackers simply bypass these technologies by targeting people.

As we get better at identifying and stopping phishing email attacks, cyber attackers simply target people's mobile phones with smishing (SMS or message-based) attacks.  As more and more organisations deploy MFA, cyber attackers simply continue to pester people with MFA requests until they approve them (as per the recent Uber incident).

This is where we also run into our second challenge: security teams far too often blame people as the root cause of the human risk problem. 

We see this with phrases such as phrases “people are the weakest link” or “if our employees simply did what we told them to do, we would be secure”.  These statements imply that people are the root of the problem. However, when we look at cybersecurity from the average employee’s perspective, it turns out that we - the security community - are often to blame.  We have made cybersecurity so confusing, scary, and overwhelming that we have set people up for failure.  People often have no idea what to do or, if they do know what to do, carrying out the solution has become so difficult that they get it wrong or simply choose another option.

Just look at passwords, one of the biggest drivers of breaches. For years, we have seen numerous articles and reports describing how people continue to use weak passwords in an insecure manner.  But why is this? Because the password policies we teach are terribly confusing and constantly changing.  For example, many organisations or websites have policies requiring complex passwords of 15 characters, including having upper and lower case letters, symbols, and numbers. We then require people to change those passwords every ninety days but don’t provide a secure way to keep track of all those long, complex, and changing passwords. 

Then, we roll out MFA to help secure people.  However, once again, this can be extremely confusing (even for me!).  First, we have multiple different names for MFA, including two-factor authentication, two-step verification, strong authentication, or one-time passwords.  Then we have multiple different ways to implement it, including push notifications, text messaging, FIDO token-based, authentication apps, etc.  Every website you go to has a different name and implementation of this technology, and then we once again blame people for not using it.

This is where security awareness and managing human risk come in.  Security awareness has long been the traditional approach: communicating to, and training, your workforce in how to be cyber secure.  While a step in the right direction, we need to take this one step further: we need to manage human risk.  Managing human risk takes a far more strategic approach. It starts with a basic understanding of security awareness, but adds some vital ingredients needed in today’s risk landscape:

  1. Risks: Identifying the key risks and behaviours is vital. To do this, the security awareness team needs to be an integrated part of the security team, even reporting directly to the CISO.  Its job should include working closely with other security elements (such as the Security Operations Center, Cyber Threat Intelligence, and Incident Response) to clearly identify the top human risks to the organisation and the key behaviours that manage those risks.  Once those key risks and behaviors have been identified and prioritised, we can then communicate with, and train, our workforce on those behaviours.  Models like the Security Awareness Maturity Model enable organisations to do just this.
  2. Policies: We need to start creating security policies, processes, and procedures that are far simpler for people to follow. We should be designing policies (and the tools that support them) with people in mind.  If we want people to use strong authentication, we must focus on something that will be easy for people to learn and use.   The more confusing and manual the process, the easier it is for cyber attackers to take advantage of that.
  3. Security Team: We need security teams to communicate to their workforce in simple, human terms that everyone can understand, including explaining the ‘why’ of their requirements.  Why are password managers important, what value does MFA have to me, and what good is enabling automatic updating?  Instead of the security team being perceived as the arrogant, technical team of ‘no’, we should change the perception that the security team is the approachable and collaborative team of ‘yes’.

Managing human risk is becoming a fundamental part of every great security leader’s strategy.  Security awareness is the first step in the right direction as we attempt to communicate to, engage, and train our workforce. However, we now need a more dedicated, strategic effort to truly manage human risk.

Who knows – one day the industry might take a huge step in the right direction and replace the role of the Security Awareness officer with the Human Risk Officer!

https://www.sans.org/uk/


Help to shape and govern the work of techUK’s Cyber Security Programme

Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.

*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.


Upcoming events 

Cyber Innovation Den

On Thursday 3 November, techUK will host our fourth annual Cyber Innovation Den online. This year we’ll explore efforts being made to realised the ambition set out in the National Cyber Strategy, with speakers taking a look at the progress we’ve seen to date, including the foundation of the UK Cyber Security Council, the reinvigoration of the Cyber Growth Partnership and the continued growth in the value of the sector to the UK economy.

Book now!

Cyber Security Dinner

In November techUK will host the first ever Cyber Security Dinner. The dinner will be a fantastic networking opportunity, bringing together senior stakeholders from across industry and government for informal discussions around some of the key cyber security issues for 2022 and beyond.

Book now!


Get involved

All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.

lock-tech-security-web-training.jpg

The Cyber Management Committee sets the strategic vision for the cyber security programme, helping the programme engage with government and senior industry stakeholders.

Office-working-laptop-196947631-web-1500px.jpg

The CSSMEF is comprised of SME companies from the techUK membership. The CSSMEF seeks to include a broad grouping of different SME companies working in the Cyber Security (CS) sectors.

 

 

Authors

Lance Spitzner

Director, Security Awareness, SANS Institue