Cyber-security awareness: A battle between the rational and impulsive brains
Since the dawn of information technology, when computers were the size of rooms and held hardly any information, they have required a human to operate them.
Since the dawn of information technology, when computers were the size of rooms and held hardly any information, they have required a human to operate them. Much research has been done on the effects of computers on us as people, a society and where the relationship is headed.
But what is the impact on us today, now that we are already in an age of “ubiquitous computing”, according to Dr Michiu Kaku, a Japanese-American futurist, theoretical physicist and populariser of science?
It would seem that we have not truly adjusted to this ubiquity, IBM's 2015 Cyber Security Intelligence Index stated that 45 percent of all breaches were due to insiders and that 95 percent of those breaches were due to human error. In other words, 42.75 percent of the average companies' breaches were due mostly to inadequately or improperly trained personnel. That is a staggering statistic which should demonstrate why it is an imperative to educate the modern digital workforce on the importance of being safe “digitally”.
Jacob Ginsberg, senior director at Echoworx, speaking with SCMagazineUK.com, said that, “There are certain basic things which you are taught as a human from a very young age, like ‘don't talk to strangers', ‘don't touch a hot oven', ‘make sure you wear sunscreen'.” He went on to explain that, “...we should probably have similar lessons like that which would educate the digital workforce on the basic things you can do to stay safe at work.”
Ginsberg pointed out that many people who try out Echoworx's email encryption solution simply don't understand the basic ideas behind encryption and how it functions. He said that, “While encryption is a well implemented concept that most people use every day, it still seems to slightly mystify people because of its technical aspects.” Ginsberg explained that, “Even though the basic action of unlocking an iPhone or sending an email over TLS is an action that is carried out millions of time a day, no one associates those actions to the act of ‘using' encryption.”
While encryption is only one tool in the battle against data-leaks and cyber-attacks, there are certain questions this raises - are we arming the British workforce with enough basic training and knowledge to potentially stop their next major data-breach or cyber-attack? Does the average employee possess the tools and knowledge to encrypt data, protect their company's IP or spot even the sneakiest of phishing emails? There obviously is a need for basic real world steps which an employee can take to stay safe online.
Training for the basics
Richard Starnes spoke with SC and explained his experience as former chief information security officer at the Kentucky Health Co-Operative, saying that, “Cyber-security and privacy training is mandatory for all staff and contractors including the executives and the C-suite.”
Starnes went on to tell SC that, “Cyber-security is a rapidly changing landscape, which is why I train on concepts as well policy and process. It is better for your employees to know and understand than to just know. Training sessions are also a good way to keep the lines of communication open with frontline staff.”
And Nick Ioannou agrees, in his role as head of IT at the Ratcliffe Groves Partnership, Ioannou thinks educating his colleagues is about helping them, “...understand the tricks the criminals use, their vast resources and explaining how exploited vulnerabilities can render all security measures useless.” To try and combat this, Ioannou says that all of RGP's, “....emails are now filtered by two cloud systems, together with scanning and filtering of all web traffic including HTTPS.”
To build on that, Ioannou suggests showing employees, “Barclays' Fraud Prevention Videos.” The videos, although they tackle issues directly relating to banking, talk about everything from phishing attacks to spotting malicious emails that ask you to login to your online banking to ‘confirm your details'.
Teaching at scale
The problem of trying to educate a workforce affects both SMEs and major multinational corporations alike. BAE Systems recently took on the challenge of trying to educate its dispersed, diverse and multi-national workforce on cyber-security awareness.
To keep pace with a rapidly evolving threat landscape, BAE Systems wanted to implement a mandatory IT security awareness programme that would give all employees training on how to spot and combat the latest cyber-threats. However, as well as these advanced threats, BAE Systems was also conscious that day-to-day information security awareness (such as ensuring company laptops are never connected directly to the internet) is also important.
Giles England, head of IT security, policy & risk management at BAE Systems, explained that, “Some of the most sophisticated cyber-attacks can be launched with very simple actions – such as an email account holder clicking on an infected attachment. BAE Systems was therefore determined to ensure that all staff were reminded of the cyber-threat, and are also aware of how to respond if they feel they are being targeted.”
Surinder Lall, a seasoned cyber-security law professional in the media industry spoke with SC and suggested that the most difficult staff to manage and keep from downloading infected attachments are ‘creatives', as they will resort to using whatever they see fit to get the job done, and if they don't have that tool, they will often feel their job is being inhibited by the tech itself.
It is because of this that Lall says training staff has to be constant, but subtle as you have to “keep people engaged.” Agreeing with Jacob Ginsberg above however, he said that no one wants a school ‘don't do drugs' lecture. It's important to remember that he and his team in their professional capacities teach adults.
The changes that need to be made
Richard Beck, head of cyber-security at QA, a provider of cyber-security training courses echoed BAE's sentiments explaining that as, “most employees tend to ‘self-serve' when it comes to IT, where they would avoid speaking to an IT service desk, for example worrying they wouldn't be able to get their computer back in time to finish work that's on a deadline, even if it needed vital maintenance patching or upgrades.
It is for this reason that IT breaches often go unnoticed as the employee “doesn't know it had happened”.
And it is for this reason too, that Surinder Lall said, “In my experience employees are often seen [by the company] as being guilty first.” Arguing that the problem of “not knowing it happened” often goes right up the ladder to the board of executives.
Lall argues that although he recognises it happens differently company to company, generally “CISOs are divorced from operational reality. And if they do report something, they can become a ‘fall guy' if it was something for which they are responsible, which is why they keep quiet. The info on what exactly is happening in the company gets watered down by the time you get to the top.”
Encouraging CISOs to be more vocal, Lall said that, “I've never known a CISO to voice such obvious concerns in a board meeting,” suggesting that this is because, “... the board want to claim plausible deniability in case of a breach”.
Taking his point further, Beck says it is an imperative to have clear reporting lines throughout the business, so that the board understands the cyber-risks, which are of course, business ones.
Agreeing with Beck is Stuart Reed, senior director at NTT Com Security who commented by email to SC that, “Preparation is everything when managing cyber-risk and increasing an appetite for risk management in the organisation. Executives must start by identifying their organisation's key assets, and gaining an understanding of the threats to them and the impact they would have. This will enable them to design effective practices to protect the business, and engage employees intelligently.”
Touching briefly on AI
So how can this issue be tackled? Could AI do the job of ‘thinking' for humans as they carry out their usual mindless action without considering the consequences? Would AI be quicker? Could it take over doing this at some point? Or will humans remain better at spotting human deception?
Ioannou told SC that, “We have machine learning which is not AI, it works until the criminal's methodologies change and then may be next to useless depending on the scope of the programming, where a human may spot the changes.”
And Lall agrees, “Currently the nuances of the human mind are far too difficult for any computer to try and replicate. This means that while we could make use of intelligent software that learns and spots irregularities in human behaviour to spot the employee suddenly logging in from China or downloading files from the FTP server in the middle of the night, something akin of the AI seen in Hollywood movies is still way off for us.”
Thom Langford, CISO of the Publicis Groupe recently told a panel of experts at InfoSecurity Europe 2016 that, “Security should be automatic and not even a conscious thought (so we) need a significantly different approach.”
As University of Chicago economist Richard H Thaler and Harvard Law School Professor Cass R Sunstein wrote in their 2008 novel ‘Nudge', the human brain is a battleground between Homer Simpson and Dr Spock – a rational and conscious decision maker trying to reign in a short-term impulsive ‘see doughnut, eat doughnut' approach.
Which would explain why we have a tendency to assume that people are rational, and always make rational decisions.
But when you're running between meetings, checking emails across devices in a rush and you receive a phishing email that plays to base emotions like reciprocity and feeling indebted to answer, taking time to make a rational, security-conscious decision is not the priority. Getting through the backlog of emails and getting through the day is.
Dr Helen Langer, a professor of psychology at Harvard University commented in a recent Security Through Education podcast, “when you're not there, you're not there to know you're not there”.
So beyond sending employees on training programmes and using software to prevent human-error based data breaches, it would appear we could all be taught a little more mindfulness which could go a long way to preventing those quick-fire but regrettable actions which can cause damage. That unexpected email is most likely not going to give you a free iPad.