“People are the weakest link” has been the dominant mantra in cyber security for too long. Not only is it not helpful, by creating an ‘us and them’ divide between those of us in the profession and the non-technical people we work with, but it is also not true. We put too much responsibility on end-users, expecting levels of security from them that even cyber security professionals cannot always maintain.
The recent successful attack on a senior Mandiant analyst shows that we are all potentially vulnerable to being successfully compromised online (http://thehackernews.com/2017/07/data-breach-mandiant-fireeye.html). As an industry, we also tend to focus more on the negative side of cyber security issues, rather than emphasising the positive. Media reporting of cyber security stories generally follows this pattern, too.
The Titania Infosecurity Europe stand in London in June had a theme that ‘Not all Heroes Wear Capes’ and, with this in mind, it’s time that the cyber security industry as a whole started highlighting the overlooked stories of people as the strongest link.
The analytical hero
In February of 2016, reports emerged that a bank heist had been carried out by cyber criminals who successfully stole $80 million from Bangladesh central bank. Headlines focused on the $80 million that was stolen and on reports that the Bangladeshi bank had very poor technical security measures in place.
Some reports sniggered at the fact that the criminals would have successfully stolen a further $850-$870 million were it not for a typo in the fraudulent transactions they put in place.
None emphasised how fantastic it was that an analyst at a routing bank, Deutsche Bank, spotted the typo and raised the alarm. $80m is a lot of money, and one of the largest bank heists in the world, and it’s right that we look at the issues that enabled this crime to take place. But, this shouldn’t mean that we don’t recognise the fact that one person was the strongest link here, stopping an $80 million theft becoming a $1 billion one.
Engage in cyber security.
Having delivered cyber security training in international organisations for many years, I consistently see that people are engaged and interested in cyber security. When people are trained in why cyber security matters to them and how they can better-protect themselves and their organisation, most want to do the best that they can. It is incredibly rare for someone to be uninterested in the training. People are aware of cyber security like never before, it is frequently in the news and a feature of mainstream TV programmes and movies.
People only become the weakest link when they are not trained or adequately supported. We put too much responsibility on people, when we should be looking to support them, not just with education, but also with technology.
Looking at how you can support personnel with technology, for example using Nipper to empower the employees responsible for configuring your firewall, will help the people in your organisation become your strongest link.