The Employee-An Organization's Security Downfall or a Hidden Security Gem
By Gordon MacKay, EVP and CTO, Digital Defense
Several years ago, while on a walk, my lively Pomeranian took notice of a few birds. They also took notice of her and nearly immediately took flight, reacting to what they perceived as impending danger. This was nature’s warning system in motion. The few birds' reaction to the threat caused the entire flock to become aware of the danger. This "safety in numbers" behavior intrigued me. Often in nature, an organ¬ism is more secure in a community than alone. I wondered whether this ecosystem principle could apply to employees, with the goal of enhancing the organization’s overall security posture. Evidence has shown employees can of¬ten be liabilities when it comes to security. Yet this begs the question: If assessed, trained and armed with the right tools, could employees represent a hidden security protection force to be har¬nessed?
The Rise of Human Hacking
Due to the advances in technology and the greater need for convenience, the IT landscape has evolved, mak¬ing information security increasingly more com¬plex. Security walls are crumbling and organizations, now more than ever, are faced with the chal¬lenge of supporting an efficient workforce while protecting against the possibility of a devastating in¬formation security breach. Attackers have seen this changing landscape and have expanded their attack surface to include human hacking, also known as social engineering. As evi¬denced within the Verizon 2015 Data Breach Investigations Report, over the past several years, successful data breaches that included a component of social engineering attacks have steadily increased. This is an increasingly concerning trend.
The Root of Human Vulnerability
As humans, we play a big role within the organizations we work for and contribute towards. In many senses, a human may actually be viewed as a kind of a computer; an Organic Computer. We hold valuable information such as usernames and passwords. We operate, use and access the company’s computers to do our work and in doing so, we may be fooled by others (e.g. in the form of an email) into accessing infor¬mation that hides dangerous malware. A recent Intel Secu¬rity quiz showed that of the more than 16,000 test takers, 80 percent fell for at least one in seven phishing emails. These numbers are alarming, especially when we realize hackers only need one employee to fall victim in order to gain ac¬cess to an organization’s valuable data. But what is the root of our vulnerabilities? Throughout our evolution, we learned to overcome harsh natural environments by relying on each other. We learned to inherently trust others in our community because this has enabled us to survive longer. Yet, due to our social nature and our dependence on others, rooted in our nat¬ural desire to survive, we are vulnerable to lies.
“Instead of considering humans as a security liability, contemplate the harnessing and utilization of human vulnerabilities for our benefit”
This is a grim reality.However, as opposed to considering the employee as a security liability, I have a more optimistic perspective.These numbers are alarming, especially when we realize hackers only need one employee to fall victim in order to gain ac¬cess to an organization’s valuable data. But what is the root of our vulnerabilities? Throughout our evolution, we learned to overcome harsh natural environments by relying on each other. We learned to inherently trust others in our community because this has enabled us to survive longer. Yet, due to our social nature and our dependence on others, rooted in our nat¬ural desire to survive, we are vulnerable to lies. This is a grim reality. However, as opposed to considering the employee as a security liability, I have a more optimistic perspective.
Training, Assessing and Harnessing the Intelligence
As security professionals, we understand the importance of regular vulnerability assessments of our IT infrastructure, as well as remediation of findings to drive out risk. However, by and large, we mini¬mize
the assessment of our employee population as part of this program. Cer¬tainly, assessing and training won’t render us immune and we may still fall victim to social engineering attacks. However, evi¬dence has shown that security awareness training and behavior training systems have significantly reduced the incidence of human compromise to security related events. Taking this to the next level, we can utilize the intelligence gleaned from our organic computer assessments, to bolster an organization’s security pos¬ture. I see this as crucial element of the next wave of cybersecurity and envision a system which, among other capabilities, achieves this concept by integrating hu¬man security awareness assessments with IAM systems. For instance, even though an IAM system may authenticate a user’s identity during a user’s login request, this user may be refused access on the basis that the user has poor security awareness assessment results. With this integration, an organization’s security program is bol¬stered in that it catches more real social engineering threat attacks.
Safety in Numbers
Just as the saying goes “One Man’s Poi¬son is another Man’s Medicine”, instead of considering humans as a security li¬ability, contemplate the harnessing and utilization of human vulnerabilities for our benefit. Our natural tendency to trust and rely on others may be used to our ad¬vantage. For example, there are several existing security solutions which offer human behavior based training which enables an organization to continuously raise awareness within their employee base of the dangers of phishing. Some solutions include a feature that allows employees to notify the entire community whenever an employee becomes aware of a real phishing event. Does this seem analogous to the security in numbers of the few birds alerting the entire flock? I be¬lieve this concept need not be limited to phish¬ing, but can be used for all suspected security attacks. Imagine a web based social media ena¬bled system, inclusive of gamification, which allows all em¬ployees of an organization to share their experiences related to imminent attacks. I sense it is similar to using an employee base as a grid of organic Intrusion Detec¬tion Systems acting as a security overlay that compliments an organization’s exist¬ing security infrastructure.
Information security defense has become exponentially more complex and chal¬lenging. The attackers have several advan¬tages: they need not stay in one place, they may hide, time is on their side and they may leverage the susceptibility of em¬ployees in order to achieve their desired prize. As defenders, we have a disadvan¬tage in that it is difficult to continuously move our fortress to evade the attacker. A strength we must take advantage of is our ability to harness our individual hu¬man awareness to achieve a “protection in numbers”effect. This has proven success¬ful for many natural ecosystems. We de¬fenders are not fighting a losing war. We are not even part of a war; we are simply surviving within a natural, ever changing physical and virtual world.