You have secured every server, patched every bit of software, risk teams have vetted and locked down 10,000+ third-party applications, and a personal victory was won with the addition of the new canine unit added to the corporate campus lobby. Impossibly though, the news is reporting that your business assets have been exfiltrated to several competitive nations. Impossible… until you hear about a user who clicked on a link and installed some rootkit onto their machine. The rest is history.
Sound familiar? We in the industry hear this type of tale all too often. As much as we would love to say, “the Russians did it!” and accept empathy – the majority of these cases are the result of human error (patching a system, users clicking links). The challenge is that we are not focusing on the one asset of the company that hasn’t been secured: the user.
Over the past few years, I’ve enjoyed the online discussions, debates and conference tracks where we, “the security professionals,” sought to solve the end-user challenge. We debated, argued and the result was more and more end-point agents and behavioral software. This whirlwind of discussions of debate is our echo chamber – we are all like-minded; on mission, and yet having minimal impact to the state of security. I had a eureka moment that changed my perspective permanently.
In March 2014, I was with family for a birthday at a park. A cousin of mine was late and after some phone calls we learned her cards had been copied and used in fraudulent purchases. These were then cancelled by the banks, but she was without any method of getting food or drink for her babies in the car. As I learned about this event, I was at first sad that again my industry had failed.
Then I learned she had used her debit card for everything (and this was the third time she had had this problem), and I went on describing to the family members present with why they should not use their debit card in that fashion. After about 5 minutes of distilling what they should have done, I asked why had they not known about this practice (I having been sharing security risks and practices for the past 20 years; I thought my family should at least be educated).
Their response hit me like a brick: “Nobody ever told us.”
There it is… the biggest problem—with more than three billion people online, an average of four devices per person, and on most smartphones, 114 applications installed—is that we are not communicating how to be safe online.
Since that day in March, I have studied this problem and what began as a set of practices for my family has evolved into a new book, How Not To Be Hacked. Below, I share the barriers that I discovered in educating regular people and how you can carry this forward within your own organization.
I will warn you – this is not an easy journey. Distilling security risks to be actionable and subconsciously emotional took more than 30 revisions in many cases. These revisions were done through plenty of human tests, in the field and across the country – a practice that is paramount to success of any program.
Top 3 Barriers to Educating Non-security Professionals
1. They do not want to become security professionals
A study was released which attached a study group to an MRI machine and then showed security warning messages. The result: the test group’s brains literally shutdown when those messages appeared. The first barrier to realize is the user doesn’t want or need to become a security expert to be secure. The tooling and messaging we use must take this into account out of the gate.
2. Too precise is not precise enough
Ask an engineer, security professional, developer, or anyone technical if X will work, and you will hear the atypical response, “It depends.” That precision is a deathblow to any productive conversation. The engineers within us must forgive some precision to be precise enough for the end-user. There are ways of addressing a question by accepting specific facts about the end-users, the systems and the type of business. Take these into account and this will allow for a simple precision on security advice that can be understood at face value.
3. Lack emotional intelligence
We hear this a lot these days – the need to empathize with this group or that group. A security professional is motivated by any number of factors: competitive spirit between their competency and that of the online criminals, judged by KPI; a standard of personal pride, and protecting their way of life (such as protecting nuclear missile codes).
Each of these, when examined, can each be considered personal and emotional to the security professional. This cannot be transferred to the regular end-user, and yet we try… How many spies, criminal, and dark images do we see posted across the globe as part of the poster campaigns to not click links?
Emotional intelligence must be woven into the end-user educating experience, and it must resonate with them directly. Every case is different, but the answer is readily available from the user’s themselves. We cannot solve this problem without the end-user.
There is not enough security resources, budget, technology, or prayers to establish a true security program without the users of the system participating actively. Consider this example I developed for a Fortune 500 client:
Organization: 182,000 employees
Security staff (contracted + employees): 1,000
Each employee has 1 laptop + 1 smartphone (based on expense reports)
Statistically, each employee will also have 2 other devices that can/will connect to these laptops and smartphones
Each smartphone (by average) has 114 applications
Each employee will manage at least 19 password-protected accounts
So, the scale of the problem: [182,000 employees x 4 devices + 114 + 19 ] / 1,000 security professionals = 728
Basically (not being overly precise here), each security professional of this business must be effective at ensuring 728 points of attack to the enterprise. Any one of these fail and the business is hacked. However, make an army of highly tuned end-users and the above calculation shifts from 728 to 4!
Two Tips From the Book For a Business Context
#11: Don’t open attachments in email, chat, or on phone without notice. If the file wasn’t expected it shouldn’t be opened… simple, yet solves a world of problems.
#29: Juggle multiple passwords using a wallet. What is interesting here, is we as security professionals could architect an environment that allows a single authentication method (wicked expensive), or allow the use of password wallets on the end-point devices. Too often we try to over engineer solutions because we want control by having those password repositories, but this assumption should be challenged.
A final message that I find to resonate very well with regular computer uses is: “The user we trust, but it is the system they are using that we don’t trust.” Therefore, each system they connect to must be treated accordingly. How you communicate this fact is the principal determination of success.
About the Author: James DeLuccia is a published author, practitioner, and cyber security expert where he draws on his 20+ years experience to provide innovative and actionable solutions. Currently he is an advisor to global Fortune 100 companies on cyber security. James has spent the last decade building and leading global information security technology, teams, and compliance operations. His published clients include Google, Amazon, Cisco, Equifax, and other leaders in their field. He is certified as a CIA, CISA, CISM, CISSP, CPISA, CPISM, and holds degrees in Risk Management, Management Information Systems, and a MBA in Finance. His first book, “IT Compliance and Controls: Best Practices for Implementation,” and “How Not To Be Hacked – The definitive guide for regular people” are globally available.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock.com