PODCAST: A case for studying the ‘why’ of network breaches instead of just the ‘how’

By Byron V. Acohido

Employees often are seen as the weakest link in cybersecurity. Breaches by hackers may hit the headlines, but in many instances human error (or intent) is responsible for the majority of attacks.

IBM’s 2016 Cyber Security Index reported that insiders carried out 60 percent of all attacks. Three-quarters of these attacks were malicious, and a staggering 25 percent of breaches were accidental.

I took the opportunity to sit down with Richard Ford, chief scientist at Forcepoint Security at Black Hat 2017 in Las Vegas. The notion of understanding human behavior and its role in cybersecurity was the topic of our discussion, and you can find the key takeaways below.

Look at the why, not the what. We’re great at focusing on what is happening within our network and capturing every single event. What we’re bad at doing is talking about the why. This often is much more significant. It’s time companies think about what the hacker is trying to accomplish. Why did that file get moved? Why did that data loss prevention (DLP) event occur? Mitigation depends on the why. You’d mitigate an accidental data breach very differently than for an intentional one. When companies move toward the why, they can start to mitigate much more effectively.

Ford and Acohido

Reduce the friction caused by IT security. A lot of security measures aren’t successful because they create friction between users. Currently, we see security’s role as protecting the business. In the future, we will see it as a way to enable business to be done safely. For example, to stop restricted files from leaving company servers, most firms would turn off universal serial bus (USB) access. But that creates friction. Instead, the file should be seamlessly and silently encrypted so that it will only decrypt if it is loaded onto another company device. It’s the same level of protection but with far less friction. The more seamless security is, the more people will buy into it.

Make privacy a first-class citizen. Too often, companies send a bad message by giving the impression that they don’t trust their employees. Security and privacy should be a benefit to the employee, not a negative. One way companies can achieve this is by being open with employees. When employees understand what’s happening, they understand why it’s protecting the company. Another is by anonymizing the data in a way that protects an employee’s personal information but still continues to protect the company. When done right, employees’ privacy should be protected and so should the company’s data. You shouldn’t do one at the expense of the other.

For a deeper drill down, please listen to the accompanying podcast.

For more about human behavior and data breaches:
Why studying human behavior could be the key to securing networks
Look to human nature for continued success of phishing attacks
Wetware: People are the problem in countless data breaches

This article originally appeared on ThirdCertainty.com

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone