Did you know what your biggest security threat is? Your People
Observations and a few suggestions to help address the threat
For the past year and half, I have been working on my PhD in Social Cyber Security by writing a book on Social Cyber Security focusing on how people are the biggest threat to organizations and how people are the solution to securing anything in an organization.
Let’s start first with defining Social Cyber Security at a high level:
Social Cyber Security: The collective power of individuals to protect an organization driving a culture shift in cyber resilience (cyber resilience is the concept that brings the areas of information security, business continuity and organizational resilience together)
Cyber “events” (hacking, malware attacks, ransomeware attacks, security breaches, etc.) are often discussed from the context that these events occurred due to “technology problems”. While a technology problem could exist; a un-patched vulnerability for example, the cyber event also represents a human and business problem as well. Often the human problem is discussed in the context of “cyber leader X has a background that lacks x, y, z or has a degree in “something not technical” OR this leader didn’t have this type of technical certification”. The Business dimension often gets overlooked in the breach discussion as very rarely is the question asked to leadership: “why do you have so many open cyber security & information security positions compared to your sales and marketing teams?” (note: any area of a company can be compared with cyber security & information security).
What is important to remember that the cyber event is executed by a hacker/attacker and they don’t attack technology – they attack people. The tools or techniques used are based on a technological method, however, most successful infiltrations (hacks) incorporate social engineering and other human factors in order to gain access to an organizations systems. Technology plays a role (tool); its the human that is the enabler.
Case in point: Phishing Remains Top Cyberattack Vector in 2017
This is where the concept of Social Cyber Security must start to enter the dialogue and culture of an organization.
Humans are the perimeter of any organization. Changing human behavior is critical to ensuring any organization is secure. It is clear that relying on technological countermeasures isn’t working as “effectively” as we would all want them to work. Therefore a focus on the human must be our next step as cyber professionals and leaders.
What do I mean by a focus on the human? Cyber user awareness, cyber training, table top exercises across the organization, and educating users to be more aware of the threats their actions can post an organization are all great starts. However, focusing on the human needs to incorporate the following:
How toxic is your culture on your team? In your department / division? Your organization?
How inclusive is your team? Your department? Your organization?
How diverse is your team? Your department / division? Your organization?
Is empathy a key skill that is cultivated in your workplace environment?
Do you have KPI’s for your humans AND not just systems and services?
Do you promote love (non-romantic) in the workplace? Do you love your products & services? Do you love your clients? Do you love your corporate culture? Leaders – do you love your staff’s? Leaders – do you love your peers?
These are just a few of the questions that when asked often paint an organizational story that is fractured and not as united as the organization needs to be for proper cyber resilience.
Think of it this way; if your culture is toxic, isn’t inclusive, isn’t diverse, isn’t supportive of backgrounds (professional & educational) that differ from yours, isn’t structured to empathize with a workers life (remember 2/3 of your workers daily life is away from the office), and doesn’t invest in every worker (life investment, technical skill investment & soft-skill investment) – how can you expect workers to care enough to increase your cyber resiliency and help YOU build an organization that truly embraces Social Cyber Security?
You may be asking; well how can we get on the path to positively answering the questions presented above?
www.securediversity.org will be bringing to market a portion of our “Train the Brain” platform offering Train the Brain for individuals and Train the Brain for organizations to help create diverse and inclusive organizational environments which will increase an organizations cyber resiliency and their overall Social Cyber Security strategy.