The end of May and beginning of June were dominated by the news about ransomware attacks on food (JBS), gas (Colonial pipeline), water (Florida), hospitals (New York, Nebraska, Ohio, Missouri and Michigan), transportation (Steamship Authority) and responses by high level officials: POTUS, Deputy National Security Advisor for Cyber and Emerging Technology, Energy Secretary, etc. The FBI director compares these current attacks to 9/11. Media headlines on this subject are very grim and talking about potential disaster due to lack of cybersecurity. 

Everybody knows it is a time for action. President Biden’s executive order talks about sharing threat information, partnership between government agencies and private corporations, Zero Trust Architecture, cloud security, multi-factor authentication, and encryption for data at rest and in transit as well as other cyber-tech buzz words.  Anne Neuberger, current Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, wrote an open letter on this subject and again focused exclusively on technology (best practices, backup, patch, test incident response, check your security team work, segment your network, etc.). 

Both of the documents do not even mention cybersecurity culture and awareness, which made me, as a human factor specialist, very concerned. Some of the suggestions, like having a “skilled, empowered security team” sounds like a pipe dream for many enterprises. 

Moreover, in the CNN article “Ransomware attacks saddle Biden with grave national security crisis“, the authors wrote: “all it takes is one computer user to inadvertently open the gateway to cyber attackers through malware”. As you see, the theme of “users as the weakest link” in cybersecurity is still popular: instead of discussing how to protect and build an awareness with positive impact, we are back to square one on culture. If people are left alone against bad actor attacks with no appropriate support, if an organization relies on their employees (often working 50+ hours a week from home and dealing with life issues at the same time) to be “vigilant” without a safety net, then it is a cybersecurity culture crisis, not a user problem. It is time to raise these cultural issues to the highest level.

KnowBe4 has released a new Security Culture Report in 2021. The main message is that “Security culture is a critical, need-to-have asset in the security toolbox. By assessing employees’ security awareness, behaviors and culture, organizations can adapt their policies and training programs to the constantly changing threat landscape.” For example, “organizations with poor security culture have a risk that is 52 times higher for employees sharing credentials”.  I strongly support the author’s position that we will see real positive dynamics in digital security only after human beings and cybersecurity culture made the center of attention. 

Culture is not built overnight: it takes time and requires a lot of work. In my opinion, our job as identity subject matter experts is promoting people-centric security, creating positive identity-friendly experiences related to cybersecurity awareness, and shifting the focus from technology to human factor mitigation.

Our recommendations are the following: 

• Discuss current events with your non-technical colleagues and solicit their opinions of the situations
• Promote cybersecurity culture within your organization by educating your leadership about it. Use the KnowBe4 report as one of your tools.
• Actively participate in consumer and internal user education around how to recognize and withstand social engineering attacks. Show them that identity professionals are here to help.
• Start researching existing guardrails and safety nets in your organizations which could protect your users in case of mistakes, such as clicking on a bad link. This is especially important when it comes to monitoring lateral movement or questionable requests for access outside one’s job responsibilities.

Question to our readers: What would you propose as a step for building positive cybersecurity culture in your company? As always, please share your feedback and opinions on our #humanfactor Slack channel.

Vladislav Shapiro

The post #HumanFactor 11 – Ransomware, cybersecurity culture, and IGA appeared first on IDPro.

This year, for the first time in 11 years, the digital identity industry will not be able to meet in person at the event. But that will not stand in the way of our community continuing to support its members. Instead, Identiverse will be held as a series of webinars starting early June with presentations each week to accommodate a global audience. Most of the presentations will offer a live Q&A and will also be recorded and available on-demand. 

This year, IDPro will be presenting the following topics at Identiverse: 

• IDPro Introduction to Identity (i)
  By: Stephen Hutchinson, Principal Cybersecurity Architect of GE Digital and founding member of IDPro
• IDPro Introduction to Identity (ii)
  By: Stephen Hutchinson, Principal Cybersecurity Architect of GE Digital and founding member of IDPro
• The Skills and Experiences of Identity Practitioners
  By: Pamela Dingle, Director of Identity Standards of Microsoft and Ian Glazer, VP of Identity Product Management for Salesforce and Founder and President of IDPro

A number of IDPro members had proposals accepted through the call for presentations and will also be speaking.  You can review the complete Identiverse agenda here. 

We look forward to connecting with you and in the meantime, we hope you will catch-up on past IDPro member presentations here. 

Follow @IDPro and @Identiverse on Twitter for more updates. 

Learn more about the 2020 Identiverse Virtual Conference: https://identiverse.com/2020/05/04/different-format-same-wow-factor/

Have questions about Identiverse? We’ve got you covered: https://identiverse.com/frequently-asked-questions/

The post Identiverse goes virtual! appeared first on IDPro.