Ask a management team if cyber security is important to them and you’ll get an immediate affirmative. In fact, many will tell you that security is one of their top priorities as an organization. Most can back up these claims by stating how much they’ve invested in security solutions in recent years and by what percentage of their IT teams are dedicated to improving cyber awareness and security across the enterprise. Ask them however for specifics on how and where they are at risk and you are likely to get some blank stares coming back at you.
As security continues to evolve from an issue of IT to a matter of business risk, many leadership teams are struggling to understand it and to answer the fundamental question of, “Where am I susceptible to threats?” For a myriad of reasons ranging from the sophistication of the attacks to a takeover of the business environment by the personal device, environments have changed and so must the way organizations view security. What once was simply an issue of what side of the perimeter you were on, has now evolved into a series of analytics, analysis and behavior modification, all in the name of creating more secure network.
A couple of months back, I wrote a column focusing on the human side of security. The theme was essentially that no matter how much we spend on technology solutions, the human element will always be the weakest and riskiest element of security. For those following current news cycles, I’m sure you’d be inclined to agree with me on this point. However, all is not lost in the battle to secure the company from the human element. People tend to be predictable, far more predictable than automated systems or computer-generated vulnerability probes. Therefore, they create patterns of behavior that can be captured and analyzed, and eventually modified to mitigate many of the day-to-day risks an organization faces.
One of the most complete descriptions I’ve read about in regards to this approach, and certainly the best summary of the problem, appeared in a report (PDF) issued last September titled “The Millennial Cybersecurity Project: Improving Awareness of and Modifying Risky Behavior in Cyberspace.” This project was prepared for the Department of Homeland Security by the Institute for Homeland Security Solutions. It states:
Millennials are the first “always connected” generation ensconced within an ecosystem of digital devices from iPhones and iPads to tablets and laptops. They bring these devices and behaviors into the places where they study and work which can expose organizations to security vulnerabilities. Millennials are reported to lack awareness of and demonstrate limited adherence to organizational security policies which highlights the need for new approaches that build awareness of risky behaviors in cyberspace. The goal of the Millennial Cybersecurity Project is to improve our understanding of Millennials awareness of cybersecurity threats, to identify risky behaviors that put organizations at risk, and to explore new digitally – mediated tools to modify risky behaviors in cyberspace.
In short, the new generation of employee, while technically more advanced and savvy, pays little to no attention to security. This is not to suggest that they don’t understand security, but rather they are more concerned with keeping access to their devices, applications, and way of existence on the Internet, than adhering to company protocols on security. This represents the new reality for organizations to deal with and one that needs to be addressed quickly.
As the old expression goes however, knowing is half the battle. Understanding the potential areas of risk and using predictive security intelligence can help company’s identify patterns of risky behavior. This allows organizations to address security concerns two-fold. They can develop programs to deal with vulnerabilities from a user stand point while also shielding the company’s most critical data assets with additional layers of security.
I know there has been an ongoing debate about the effectiveness of employee training as it relates to security. However, it is incumbent on organizations to make it work. While there may be failures along the way, saying we tried and it didn’t work is simply unacceptable. Instead, organizations are focusing on other, real-time methods to both educate the workforce and serve as a security measure. In the Millennial Cybersecurity Project, cited earlier, they demonstrated results through digitally -mediated interventions that both reinforced positive identification of phishing emails and reduced associated risky behaviors. They also found these methods to be extremely effective in reducing password vulnerabilities, which as described in my Human Side of Security article, continues to be the biggest point of failure within organizations.
Security is not easy and our workforces only make it more complicated. But if you are committed to working with them and applying principles such as predictive security and pattern analysis in your security programs, you will find that you will not only be able to better identify where your threats are coming from, but you will go a long way towards eliminating them in the process.