Whether people are your weakest link and falling for phishing attacks, or your strongest link and looking out for anything suspicious, is down to your organisation’s culture.
“People are a very important part of our cyber defences,” says Lynwen Connick, chief information security officer (CISO) of the ANZ Banking Group.
“I really like to think that we can work with people, and help people be one of the strongest links in our cybersecurity armoury.”
Connick was speaking at SWIFT’s Sibos global financial services conference in Sydney on Tuesday, in a panel discussion titled “Can we ever counter the weakest link in cyber-security — The people?”. She wasn’t the only panellist mentioning the positive, at least partially.
“I still believe in many respects that humans can be your best benefit, but at the same time they clearly are the weakest link,” said John Hibbs, business information security officer at Bank of America Merrill Lynch.
“You’ll see these amazingly capable nation-state actors, they can do almost anything, and they’re all sending phishing emails. So why would they do that? They know someone’s going to click, right?”
Even with the best phishing awareness programs, if you can reduce the click-through rate to three percent you’re doing well, he said.
“But the economies of sending a phishing email are, like, zero, right? So I’ll just send a hundred thousand, a million, ten million, it doesn’t matter. I’ll just keep on doing it because someone will click.”
Hibbs said that if he could take the humans out of the loop then the risk would drop to zero, but obviously that’s incompatible with the reality of human communication within and between organisations made of, you know, humans.
“I think we’ll always be in that state. While we do need to make them more vital team members, we need to change the culture, which is very critical to reduce it, but there’ll always be that risk.”
But focusing on phishing awareness training and the like is “too much of a tactical response”, according to Valerie Abend, who heads up Accenture’s global cyber regulatory services.
“In order for us to get ahead of it, more than just focusing on that phishing aspect and not further risk, the bad guys are just going to keep outsmarting us. We have to be a little bit strategic on where we’re focusing raising the level of attention and awareness,” Abend said.
Awareness-raising and anti-phishing campaigns are important, she said, but organisations need to raise the level of board and senior management involvement in managing the risk.
“I call it ‘widening our cyber tent’,” she said.
“While I can get deep technical skills, what we lack are people who have the understanding and context of how to take the risk and actually translate it for senior management and for boards. And in order for us to actually get to that point, we actually need to widen our cyber tent.”
What Abend means is increasing the diversity of the talent base to get a diversity of thinking.
There are ways that engineering can help reduce the human risk factors too. It’s about strengthening the entire ecosystem, according to Nandkumar Saravade, chief executive officer ReBIT, the IT subsidiary of the Reserve Bank of India.
“I don’t want to be gloomy, but I think the problem of phishing is not going to go away with whatever amount of training’s being done, because if there’s a spearphishing attack which is crafted to that person of interest, then that is more likely to succeed,” Saravade said.
Issue hardware tokens to all employees and the phishing success rates become “insignificant”, he said, and Indian consumers are now getting used to using one-time passwords for e-commerce transactions.
Saravade also recommended the deployment of DMARC to authenticate emails, which “eliminates the problem of spoofed emails”. Britain’s National Cyber Security Centre (NCSC) has already used this approach successfully across UK government domains.
All these panellists are right, of course. Phishing will continue because it works. People are both a weakness and a strength, and which human trait dominates boils down to the organisational culture, as well as their level of awareness and training.
What the panellists missed, however, was the importance of an organisational vulture that gives employees the time to think about the emails they’re receiving, and permission to question the message.
Many corporate security awareness programs fail because there’s no real motivation for employees to even care.
“If you have a low engagement level with your staff, you’re effectively saying, ‘I want you to change your behaviours, and I know you don’t give a shit about the company, but do it anyway.’ You’re asking staff to behave completely altruistically for a company that they feel no connection with,” said James Turner, founder of CISO Lens, earlier this year.
As the University of Otago reported three years ago, when employees fell for a phish, they were usually away from their desk, using mobile devices which didn’t necessarily display the email in full. It usually happened outside business hours, too, either late at night when they were tired or first thing in the morning when they were busy starting their household’s daily routine.
And as Australia’s Defence Science and Technology Group (DST) has discovered, people from countries associated with higher levels of individualism were better at spotting malicious emails, presumably because they’re more comfortable with questioning their apparent authority.
People are the strongest link. As Alastair MacGibbon, now the head of the Australian Cyber Security Centre (ACSC), has said previously, they can become the great human firewall. But they need to have a reason to give a damn. – ZD Net