Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 1 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

10 Steps to Addressing the Human Vulnerability in Cybersecurity

by The Gurus
June 23, 2016
in This Week's Gurus
Share on FacebookShare on Twitter

Over the past 20 years, the security industry has focused on technology to solve its complex problems. Yet despite decades of research and the myriad security vendors, products and technological advancements that have emerged year after year, the threat landscape is more active today that it has ever been, with no signs of abating. Why? What critical information has eluded cybersecurity companies and prevented them from stemming the tide of data breaches?
At Nuix, we believe this missing link relates to human beings. Experience has taught us that the vast majority of data breaches were not the result of failures in technology, but of poor decision-making by the people responsible for the victim organisation’s security programme. This is supported by a recent survey of corporate security officials sponsored by Nuix, showing 93% of CIOs and CISOs believe human behaviour is the biggest threat to their organisations’ security.
By focusing on technology and ignoring the human element in cybersecurity, organisations have been fighting the wrong battle, with the wrong weapons for the past two decades. Implementing this 10-step action plan will help them correct their course.

1. Admit there is a problem and that it needs to be addressed:

The first step in every recovery programme is realising there is a problem and committing to take action to resolve it.  You cannot begin to address a problem that you can’t or won’t admit is actually there. Count the cost, commit and act!

  1. Garner top-down support: A security programme cannot be successful without top-down commitment, support and evangelisation. The leadership team within the organisation must be utterly committed to the security programme or it will become an exercise in futility and a colossal waste of money, time and energy. Even worse, if an underfunded programme fails (and it likely will), the organisation will face a backlash for publically saying that “security is important” without following through.
  1. Locate and overcome cognitive biases: Cognitive biases are limitations in our brain’s ability to process information, which can cause illogical decision making and poor judgement. Some psychologists believe our cognitive biases help us process information more efficiently, especially in dangerous situations, so our instinctive fight-or-flight mechanism has an advantage. While these biases may be useful in, say, avoiding being eaten by a bear, they also sometimes lead us to make grave mistakes, in many cases without our ever being aware of what we are doing.

Through introspection, training and role playing, it is possible to retrain our brains to behave differently. As you seek to implement this phase, you should retain the services of a professional executive coach, as this process will not be easy, and will very likely cause a lot of political and social upheaval within the company.

  1. Understand the return on investment for security: Spending time, energy and resources on security is not a net loss. When weighed up against regulatory fines, the costs of post-breach litigation and the decrease in revenue from losses of customer confidence and market share, there is definite wisdom to investing in security.
  1. Understand that compliance regimes are only part of the solution: Compliance will never equal security. If governance, risk management and compliance regimes alone could prevent data breaches, problems such as payment card breaches would have been eliminated decades ago. However, it is still a good idea to align the organisation’s security posture with a compliance regime. But you should never expect that compliance alone will make the organisation’s environment safe from attackers.
  2. Learn from your mistakes (and other people’s): Implement an after-action review process for all breaches, whether they are publicly disclosed or not. If you think beyond the impact to your own organisation about what you can learn from an incident, it will help others avoid a similar situation. That can only benefit everyone involved, including you.

7 .Institute a ‘train as you fight’ security philosophy: Just like the military is myopically focused on going to war, you should zero in on preparing for a cyberattack. Doing so will put you in a much better position to handle a real incident when, not if it happens.

  1. Create a culture of security-minded employees: Security is everyone’s responsibility. Client-side attacks such as social engineering, spear phishing and browser-based exploits are among the most common and most effective attack vectors. Every employee, contractor, third party vendor, intern or volunteer should understand the basics of identifying, deflecting and reporting these attacks.
  2. Realise security is a journey, not a destination: Becoming secure is not something you do, it’s something you are. There is no beginning or end to this journey. You will not reach the end of a strategic initiative, declare victory and celebrate your hard work. This is a long-term commitment that will change and evolve over time.
  3. Marrying human intelligence and technology is the key to victory: You should aim to engineer out as many human intersection points as possible to reduce the opportunity for errors. In those areas where automation cannot replace human interaction, the people in those positions should be extensively trained and equipped with software that will act as an intelligence multiplier.

For two decades we’ve been designing security technology to solve technology problems; in essence, we’ve been fighting the wrong battle. If technology has a role, it must be to help solve people problems.
By addressing the human vulnerability, organisations can reduce the number of opportunities for people to make mistakes, therefore ensuring they are exponentially more prepared, and subsequently more successful than they have ever been in protecting themselves against cyber threats.
 
By Chris Pogue, Chief Information Security Officer, Nuix

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

iOS 10 Developer Preview Has An Unencrypted Kernel

Next Post

IT professionals take their eyes off the ball during the Euro Cup

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information