Don't be fooled by the name: cyber security is about people, not technology

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://econsultancy.com/us/blog/63749-don-t-be-fooled-by-the-name-cyber-security-is-about-people-not-technology

When you hear the phrase 'cyber security', what springs to mind?

On the face of it, cyber security is often assumed to be purely technical:
it could be described as protecting IT from viruses, malware and other
threats that just keep growing in the digital age.

To take it one step further, cyber security is about protecting information
that we create, share and store in ever-advancing ways from those threats.

When we really think about the role, value and use of information, we start
to see that cyber security is about much more than purely technical issues.

However, it's when we look at the threats, and how those threats become
reality, that we can truly understand that cyber security is, at its heart,
about people more than it is about technology.

Human error

In cyber security we often say 'there is no such thing as a malicious
machine'. Trace a cyber attack or information breach back to its source and
you won't find code, you'll find a person.

In fact, most information breaches are the result of human error and a lack
of awareness, and the 'human problem' appears to be increasing.

"Eight years of research on data breach costs has shown employee behavior
to be one of the most pressing issues facing organizations today, up 22%" -
Larry Ponemon, Chairman of the Ponemon Institute.

Some recent information breaches handled by the Information Commissioner's
Office (the ICO; the UK’s independent authority set up to uphold
information rights in the public interest) help to illustrate the point:

- Ministry of Justice. Details of all 1,182 prisoners at HMP Cardiff were
accidentally emailed to the families of three inmates; the ICO issued a
£140,000 penalty and referred to a "clear lack of management oversight".
- Cardiff and Vale University Health Board. A consultant psychiatrist was
cycling home and lost a bag off the back of their bike which contained
sensitive personal data including a mental health act tribunal report
relating to a patient.

The ICO commented that “this data breach was entirely avoidable" and
specifically referred to the lack training the consultant had received.

- Bank of Scotland. Customers' account details were repeatedly faxed to
wrong recipients in a "four year fax blunder" due to human error inputting
the wrong fax numbers; the Bank of Scotland was issued a £75,000 monetary
penalty for the breach.

A lot of people will have heard of, experienced, or worried about losing
information in scenarios like the examples above, from mistyping an email
address to losing papers on the commute home from work.

People will always make mistakes, but policies, procedures and training
help to minimise mistakes by making them both much less likely and less
damaging.

They do this by helping people to understand:

- The value of information in general, and the particular types of
information they really need to take care of (this is why many
organisations, including the UK government have aninformation
classification system).
- The cyber threats and what, in particular, they should look out for.
- What is expected of them, in terms of both why and how they should keep
information safe.

- What to do in case of an information breach or a cyber attack.
- Where they can turn for more help, advice or support.

Driving awareness of the threats and implications of data loss, and
supporting staff to understand what they can do to better protect
information, makes a huge difference when it comes to cyber security.

In fact, a survey published by Ernst and Young in October 2013 argues that
80% of the solution to cyber security is non-technical.

Internal data theft

Reducing accidental breaches helps to protect your organisation from the
day-to-day trickle of data loss. It also makes internal data theft, far
less common than accidental loss but usually more costly, more noticeable.

When staff members are trained in cyber security, they are more equipped to
notice strange behaviour from a colleague, from requesting access to files
that they don't need to emailing work to their personal email address or
leaving the office with piles of paper.

If we better understand what motivates people to steal data we can put
measures in place to make those thefts less likely.

Research by Symantec and Mishcon de Reya indicates that most internal data
theft is perpetrated by lone men in their mid-20s to mid-30s, working in
technical roles, generally stealing the data by technical means.

However, over a quarter of internal data theft is carried out by stealing
hard copies, and most discoveries of internal data theft are made by
non-technical staff. This all reinforces the need to have a
multi-discipline approach to cyber security and shows why keeping
information safe is everybody’s job.

Patterns tend to precede internal data theft: stress is often a motivating
factor for malicious insiders, particularly a professional setback
(perceived or real), which highlights the need for good morale in an
organisation, reinforced by two-way communication and a culture that values
staff members (especially at times of organisational change).

Processes and procedures play an important part, too. For example, as 70%
of data theft takes place within 30 days of an employee handing in their
resignation, robust exit procedures that take account of data theft should
be in place.

Insiders, particularly current & former employees, are cited as a common
source of security incident, yet many organisations do not have plans for
dealing with an insider threat, and those that do are often not very
effective.

External attacks

Of course, discussions about internal data theft and loss should not
distract from the cyber attacks that come from outside an organisation.

In fact, external cyber attacks on organisations have increased by 50% in
the last year. On top of that, external attackers are turning more and more
to ‘human’ methods to extract information from an organisation, from social
engineering to phishing attacks, which have grown 87% in the last year.

Increasingly busy lives, and the blurring of home and work life, also puts
information at risk, as the2013 Norton Report (of 13,022 online adults)
shows:

- 49% of respondents use their personal devices for work.
- 30% of parents using mobile devices for work admit to letting their
children use their devices (and as children generally use the internet to
play games, use social networks, watch videos and engage in other risky
behaviour online, this puts work devices at greater risk).

- One quarter of file storage users say they use the same online file
storage account for both work and personal documents.
- 90% of PC users delete suspicious emails from people they don't know,
whereas only 56% of mobile users do.

The 2013 Norton Report also addresses the increasing risks posed by social
networking. One finding of the report is that 31% of social media users
connect with people they don't know, the dangers of which were highlighted
recently when a security exercise carried out on a US Government Agency hit
the headlines.

Two hackers staged a cyber attack on a US Government Agency by setting up a
Linkedin and Facebook profile posing as a young woman, and convinced
officials to click a corrupted e-card that obtained passwords to sensitive
documents.

Within the first 15 hours, the fake profile had made 60 Facebook
connections and 55 LinkedIn connections with employees from the targeted
agency and its sub-contractors and within one week the hackers had achieved
their aim of infiltrating the agency.

This success of this exercise demonstrates the ease with which attackers
can use social networks to gain access to people and their information.

A multifaceted approach to a complex problem

Cyber security is about trying to govern where humans and machines meet.

In too many organisations, however, it is still seen as something for IT to
tackle alone, but all of the technical solutions that money can buy will
not protect an organisation from human error, malicious insiders and
external attacks.

What do help to protect organisations are technical solutions implemented
as one part of an organisational approach that depends on understanding of
the value of information, and covers policies, procedures and training.

As MI5 Director General Andrew Parker commented at the recent Intelligence
and Security Committee:

"it's tempting to think that security relating to an IT issue must have an
IT solution, and of course that's part of it… but those [IT solutions] sit
within the whole range of security arrangements that we have - physical
security of our facilities, but most importantly the personnel security
that we apply to the vetting that our people have… the way they're managed,
and the way all these measures together make it extremely difficult and
extremely unlikely to have… breaches"

To take care of information, you must put people at the centre of your
approach to cyber security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.