One of the biggest misconceptions is thinking cybersecurity is only about technology. When in fact, people and their behaviors, play a prominent role in almost every aspect of protecting digital assets. Without proper consideration for the human element, security strategies are destined to fail miserably.
In this Week’s Video Blog I cover some of the aspects, history, and recommendations for better perspectives to improve security planning by embracing the human factors.
Cybersecurity cannot be achieved with just technical controls. Technology and people are two sides of the same coin and must be handled together. A strong anti-malware suite is meaningless if the end-user disables it so they can install a new piece of desired software. The best network firewall is ineffective if the user bypasses it by bringing in a USB drive to directly connect to systems. The strongest password is pointless if users fall for phishing scams and give it to attackers. The best software code eventually becomes exploitable if it is not engineered by the designers to be patched when new vulnerabilities are discovered.
Then there are the attackers. Behind every network intrusion, spam email, ransomware campaign, and denial-of-service attack is a real person. It may be technology that executes the acts, but it is a human who is initiating and coordinating it. Attackers are driven by motivations that manifest into objectives. These are then pursued by whatever methods are at the attackers’ disposal.
A cyber-criminal is typically motivated by personal financial gain. Therefore, they seek to obtain monetary assets through theft, fraud, extortion, or other means. They target, like the famed bank robber Willie Sutton, ‘where the money is” and will follow the path-of-least-resistance to obtain their objectives. These factors determine targets and drive behaviors which may result in phishing, ransomware, network breaches, fraudulent sites, malware, or many other technical possibilities. If one fails, they move on to another. If a method is successful, they refine it and press further for more gain.
I have found most people in cybersecurity are narrowly focused only on the technical aspects and largely ignore the behavioral side of the equation. This is a grievous mistake. Perhaps they are not comfortable with understanding the behavioral perspectives or believe that by simply closing all the vulnerabilities, security will magically be fixed. Regardless, most initially feel that technology can overcome people’s bad decisions, poor behaviors, and malicious intent. They are wrong.
Those who are not security savvy, fail to see that technology is just a tool. Those tools are wielded by people, for their purposes and sometimes in unexpected or mistaken ways. Therefore, there will always be significant gaps in security if both technology and behaviors are not addressed simultaneously.
Weak Security Strategy
Cybersecurity plans that only focus on system patching, firewall rules, access control lists, and passwords are immature for today’s challenges. It is no longer enough. Training of users, developers, operations, and even customers is very important. We must not rely on uneven perimeter defenses. Security must be woven throughout the system to be truly effective, both from a cost and risk perspective.
Embrace both sides of the equation, both technical and behavioral. Don’t be blindsided by only looking at cybersecurity through a technology lens. Although tech is hugely important, so is comprehending the behavioral aspects of people, from attacker to victim, involved in the ecosystem.Understanding both technology and behavioral controls will help close significant gaps in risk mitigation efforts.
More Cybersecurity Misconceptions videos can be found at the Information Security Strategy YouTube channel.