by Vladislov Shapiro
The end of May and beginning of June were dominated by the news about ransomware attacks on food (JBS), gas (Colonial pipeline), water (Florida), hospitals (New York, Nebraska, Ohio, Missouri and Michigan), transportation (Steamship Authority) and responses by high level officials: POTUS, Deputy National Security Advisor for Cyber and Emerging Technology, Energy Secretary, etc. The FBI director compares these current attacks to 9/11. Media headlines on this subject are very grim and talking about potential disaster due to lack of cybersecurity.
Everybody knows it is a time for action. President Biden’s executive order talks about sharing threat information, partnership between government agencies and private corporations, Zero Trust Architecture, cloud security, multi-factor authentication, and encryption for data at rest and in transit as well as other cyber-tech buzz words. Anne Neuberger, current Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, wrote an open letter on this subject and again focused exclusively on technology (best practices, backup, patch, test incident response, check your security team work, segment your network, etc.).
Both of the documents do not even mention cybersecurity culture and awareness, which made me, as a human factor specialist, very concerned. Some of the suggestions, like having a “skilled, empowered security team” sounds like a pipe dream for many enterprises.
Moreover, in the CNN article “Ransomware attacks saddle Biden with grave national security crisis“, the authors wrote: “all it takes is one computer user to inadvertently open the gateway to cyber attackers through malware”. As you see, the theme of “users as the weakest link” in cybersecurity is still popular: instead of discussing how to protect and build an awareness with positive impact, we are back to square one on culture. If people are left alone against bad actor attacks with no appropriate support, if an organization relies on their employees (often working 50+ hours a week from home and dealing with life issues at the same time) to be “vigilant” without a safety net, then it is a cybersecurity culture crisis, not a user problem. It is time to raise these cultural issues to the highest level.
KnowBe4 has released a new Security Culture Report in 2021. The main message is that “Security culture is a critical, need-to-have asset in the security toolbox. By assessing employees’ security awareness, behaviors and culture, organizations can adapt their policies and training programs to the constantly changing threat landscape.” For example, “organizations with poor security culture have a risk that is 52 times higher for employees sharing credentials”. I strongly support the author’s position that we will see real positive dynamics in digital security only after human beings and cybersecurity culture made the center of attention.
Culture is not built overnight: it takes time and requires a lot of work. In my opinion, our job as identity subject matter experts is promoting people-centric security, creating positive identity-friendly experiences related to cybersecurity awareness, and shifting the focus from technology to human factor mitigation.
Our recommendations are the following:
- Discuss current events with your non-technical colleagues and solicit their opinions of the situations
- Promote cybersecurity culture within your organization by educating your leadership about it. Use the KnowBe4 report as one of your tools.
- Actively participate in consumer and internal user education around how to recognize and withstand social engineering attacks. Show them that identity professionals are here to help.
- Start researching existing guardrails and safety nets in your organizations which could protect your users in case of mistakes, such as clicking on a bad link. This is especially important when it comes to monitoring lateral movement or questionable requests for access outside one’s job responsibilities.
Question to our readers: What would you propose as a step for building positive cybersecurity culture in your company? As always, please share your feedback and opinions on our #humanfactor Slack channel.
Vladislav Shapiro
VP, Infrastructure Security Technologies
Brown Brothers Harriman