Embrace the Human Element of Cybersecurity

The modern cybersecurity landscape includes some pretty exotic threats. We hear about the risk posed by state-sponsored actors wielding all-powerful zero-day attacks and teams of highly skilled attackers who carefully monitor activity and tunnel their way into systems. Vendors impress upon us the importance of adding the latest and greatest cybersecurity tool to protect against these threats. While there is certainly merit to these arguments, the reality is that the typical modern attacker doesn’t have the ability to exploit these vulnerabilities and, in fact, doesn’t need to do so. 

Most attacks that take place today take advantage of two common cybersecurity risks: social engineering attacks that trick users into inadvertently providing access, and security misconfigurations that are the result of human error. The human-oriented nature of these risks means that we can’t depend on technology alone to address them. Instead, we must rely on a balanced set of technical and social controls to build a robust security program. 

Let’s take a look at five things organizations can do today to protect their systems, applications, and data from human-oriented threats.

Everyone from the CEO to the receptionist should understand their role in protecting an organization from cybersecurity threats. Most organizations today ask employees to watch a short video every October during Cybersecurity Awareness Month and take a brief quiz to document the training, but that’s simply not enough. Awareness training should be an ongoing effort that bakes security into the culture of your organization. The messaging can include articles in an employee newsletter, posters in the elevator, tips sent over email and other communications tailored and branded to your organization as constant reminders of your commitment to cybersecurity.

Human-based threats often involve email messages. From phishing attacks to information solicitation, inbound email messages pose numerous cybersecurity risks. Next-generation email gateways perform reputational filtering, sandbox suspicious attachments and rewrite URLs to protect employees against malicious sites. It’s simply not sufficient to depend on the controls built into your email system. Modern threats require the added protection of a dedicated solution.

You likely already have a strong password policy in your organization, but how robust is your approach to password authentication? Organizations should at a minimum provide employees with access to password vault technology to encourage the use of unique, strong passwords that are not reused. Organizations should consider going beyond credential management by deploying single sign-on technology to centralize password-based authentication. Once SSO and multifactor authentication are in place, you can explore a modern passwordless approach.

Multifactor authentication provides very strong protection against credential theft attacks. Organizations that don’t already use MFA should deploy it as soon as possible. Organizations with existing deployments should examine whether the extent of that deployment is sufficient. Do you have MFA configured for all your remote and privileged access to devices, applications and admin consoles? Are you using adaptive or step authentication? It’s very common for organizations to deploy MFA only to a small set of uses cases, leaving the majority of their access needs uncovered and providing a false sense of security. The best way to quickly deploy strong MFA throughout an organization is to integrate it with an SSO solution, enabling the organization to rapidly protect both on-premises and cloud-based systems and applications.

User and entity behavior analytics solutions can help an organization quickly identify and isolate employee accounts that exhibit suspicious behavior. Through machine learning and artificial intelligence technology, UEBA platforms monitor user behavior and identify deviations from normal patterns. A successful social engineering attack can transform a malicious outsider into an insider, but with UEBA you can quickly detect and address unsanctioned behavior that results from account takeovers.

Together, these controls can help organizations build a robust defense that will protect them against the human-oriented threats prevalent in today’s cybersecurity landscape.

Story by Walt Powell, an accomplished cybersecurity expert and executive coach who specializes in providing executive guidance around risk, governance, compliance and IT security strategies. He is the executive security strategist at CDW and prior to that served as a senior security adviser at Optiv and a virtual CISO at Left Brain Security. Through these roles, he has had the opportunity to learn from and contribute to hundreds of CISOs and their programs. Powell holds dozens of professional certifications including CISSP, CISM, Carnegie Mellon – Heinz CISO, and the Stanford Advanced Cybersecurity Certificate, along with countless technical and presales certifications from top security vendors. Powell is also an accomplished musician and father who loves to spend time with his kids.