People are the Easiest Hack; The Pentagon Learns the Hard Way

The US military is one of the most cyber-secure organizations on the planet. However, it was not always the formidable digital fortress that it is today. Hard lessons had first to be learned.

Back in 2008, a seemingly innocuous USB stick was picked up in the carpark of a Department of Defense facility and ultimately found its way into a laptop attached to the United States Central Command. The USB drive was loaded with malicious code that spread rapidly through sensitive networks causing what one senior Pentagon official called the “worst breach of US military computers in history.”

This incident was just one of a litany of harmful breaches that together became a catalyst for change. Beginning in 2009, US cybersecurity strategy was completely overhauled. Leadership was established, networks were consolidated, and technology was upgraded. Perhaps most significantly, actions were taken to minimize the risk of human error.

Quoted in the Harvard Business Review, Admiral Mike Rogers, head of US Cyber Command, confirmed that “we have gone beyond focusing on just the tech piece here, it’s about ethos. It’s about culture. [It’s about] how you man, train, and equip your organization.”

The Human Vulnerability

Cybersecurity breaches are an enormous problem for business. In 2016, the Ponemon Institute analyzed 383 companies in 12 different countries and found that the average total cost of a breach was $4 million, an increase of 14% over the previous two years. Add to this the potentially irreversible damage that a security breach can cause to a business’s reputation and consumer trust, and it’s easy to see why cyber risk is top of the strategic agenda.

But how should companies act to reduce their cyber risk exposure? Experts talk about the need to address the three pillars of cybersecurity; technology, policy, and people.

The role of technology is generally well understood and can range from simple things like electronic ID cards to sophisticated network firewalls. Policies are the rules and guidance that an organization puts in place to set expectations for employee conduct. Common examples include protocols governing password usage and social media activity. The quality and effectiveness of policy can vary from organization to organization, but in general, this too has been well addressed.

The human aspect, however, is a chronically neglected element of cyber defense. In our experience, many companies simply ignore or overlook people-related cybersecurity. Often, these companies simply don’t have the time, resources, or expertise to address it. Other companies conduct some form of training, but it’s an ineffective, box-ticking exercise that does nothing but undermine the importance of cybersecurity in the minds of participants.

The inadequacy of these defenses is not lost on hackers. They recognize that humans are the weakest link in the security chain and target employees with a wide range of nefarious tactics, including phishing, spear-phishing, and other forms of social engineering.

The extent of this security gap is reflected in IBM statistics that point to the involvement of human error in 95% of security breaches.

The lesson here is clear. Companies who are serious about reducing their cyber risk must take their lead from the US military. They must effectively address the human aspect of cybersecurity.

Security Culture

Any company seeking to minimize the risk of human error will need to establish a strong security culture, a shared set of ideas and behaviors that reflect and embody cybersecurity best practice.

Cultural change in any shape or form is a complex process. There are however several basic building blocks that organizations can put in place in attempting to embed a security culture:

Establish a positive tone at the top

Cybersecurity is a C-Suite level issue. People naturally respect and are influenced by authority. Employees, therefore, are much more likely to conduct themselves in a cyber-secure manner where cybersecurity is actively promoted by senior leadership.

Make people accountable for their actions

Accountability is also important. Under the newly formed US Cyber Command, all individuals are responsible for their own behaviors and all commanders are responsible for the security performance of their units. Tracking and reporting of cyber performance has been established, and individuals stand to be disciplined in the event of negligence. Companies too should seek to make it the norm that all individuals are accountable for their cyber behaviors.

Make security usable

Security usability is an important enabler for cyber-secure behaviors. Technologies and processes that are difficult or confusing to use will damage productivity and increase levels of irritation, motivating employees to bypass security measures in search of an easier life. Take passwords, for example. It is unlikely that employees will use sufficiently complex passwords where company protocol requires that they change their access details every week. Companies should ensure that security technologies and processes are as intuitive and easy to use as possible.

Prioritize continuous education

Effective employee education is essential for behavior change.  Companies should first seek to establish a baseline understanding of key risk areas. Make the message relevant by using straightforward, non-technical language and personal examples (people are more likely to care about cybersecurity when they perceive their own assets and loved ones to be at risk).

Following initial training, it is important to promote knowledge retention and behavior change with continuous education. Once-off training simply is not sufficient to ensure people remain aware of the risks they face. In fact, it is proven that people forget nearly 70% of what they’re taught within 24 hours of a training session.

Simulated cyberattacks are an effective method for keeping cybersecurity “top-of-mind” and promoting behavior change, especially when poor performers are delivered directly into corrective training. Regular security alerts and updates are also recommended for keeping employees informed of the rapidly evolving threats that they face.

Measure behavioral change

There is an old business adage that suggests that companies only get what they measure. The US Cyber Command have operationalized this sentiment with a simple scorecard system designed to facilitate accurate reporting on cyber performance and transparent accountability across the organization.

Companies too should look to develop basic of behavioral metrics as a bellwether for cultural change. Some behaviors can be measured using a simple observational method, but other behaviors, such as the propensity of employees to click on unknown e-mail attachments, will require some form of technology solution to measure.

Cyber-secure organizations should report on these core metrics on a regular basis and use the data to facilitate informed decision making on cyber strategy going forward.

Conclusion

If the Pentagon’s experience teaches us anything, it is that technology alone cannot protect the business world from the growing cyber threat.

Companies should look instead to embrace a holistic security strategy that treats people as equal in importance to technology and policy in securing their cyber defenses.

How Can Intuition Help?

Intuition is a leading knowledge solutions company. We work with our clients to reduce cyber risk exposure through unrivaled employee education.

Our holistic approach to the human aspect of security includes training solutions for both software developers and general staff, so that your organization can both make and use technology in a safe manner.

If unsafe cybersecurity practices are an issue for your organization, please contact us at cybersecurity@intuition.com to learn how Intuition can help you change behaviours and reduce cyber risk.