Stop the Cyber Breach Blame Game: There are Better Responses
By Ira Winkler, Skytop Contributor / September 7th, 2021
Ira Winkler, CISSP is CISO for Skyline Technology Solutions and author of You Can Stop Stupid. He is considered one of the world’s most influential security professionals and has been named a “Modern Day James Bond” by the media. He did this by performing espionage simulations, where he physically and technically “broke into” some of the largest companies in the world and investigating crimes against them, and telling them how to cost effectively protect their information and computer infrastructure. He continues to perform these espionage simulations, as well as assisting organizations in developing cost-effective security programs. Ira also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader. Most recently, Ira was named 2021 Top Cybersecurity Leader by Security Magazine.
Being Human is Not the Cause
The human factor is the cause of 85% or more of all significant security breaches. This can be from errors, a lack of awareness, apathy, malice, or countless other reasons. For example, ransomware is sent to insiders, who have to enable the ransomware to execute. A user may enable the ransomware because they were tricked into clicking on a link, visited a supposedly safe website that was compromised, they weren’t paying attention and clicked on a malicious link accidently, or they intentionally wanted to enable the attack. While the “Why” may matter in the postmortem, frankly you should just care that it happened.
Limits of Awareness Training
For example, in a recent example, a criminal attempted to bribe a Tesla employee to load malware on the corporate network. There is talk that the recent Accenture hack resulted from an insider loading the malware onto the network. The reason I highlight this is that if you listen to vendors, and most of the cybersecurity community, you would believe that the solution is to create “The Human Firewall” and provide your users with awareness training. When you consider that awareness training is in place at just about all incidents that have had a data breach or other loss, it would seem like insanity to believe that awareness training is the solution.
I help companies implement awareness training, and I can tell you that awareness can be beneficial and improve an organization’s security posture. However, it is just a tactic that should b part of an overall strategy. Cybersecurity is not the only field that has to deal with not just user error, but harmful user actions in general. Accounting, safety, medicine, among countless other disciplines all acknowledge that users will never act perfectly, so they create a series of checks and balances into the overall system.
User Initiated Loss
Taking that concept further for cybersecurity, people do not create loss. They initiate a sequence of actions that can result in loss. It is for this reason that I created the phrase, User Initiated Loss, or UIL.
UIL acknowledges that for example a user cannot encrypt data storage. The operating system encrypts the data. The user just enables software, which then requests a service in the operating system to perform the encryption. Then also consider how the user became the recipient of ransomware. If it came into the user’s inbox, who’s fault is that your system provided the user with the ransomware to initiate. Likewise, as ransomware is a widely known and expected attack, who’s fault is it that the damage is allowed to be realized?
Systemic Failure
UIL implies that for user related losses to be initiated and realized, the entire system failed. This should not be a new concept, but it sadly is for cybersecurity programs. You need to approach this problem strategically, with a plan and a set of tactics, which should include awareness training.
Plan for It
Addressing UIL takes a comprehensive strategy, and that is the subject for future articles. If you want more information in the interim, my book, You Can Stop Stupid, addresses the strategy in detail. In the meantime, in order to really address the problem, you have to first acknowledge it. The Human Firewall will fail, which is ok as long as you plan for it.