A new lens to measure cybersecurity risks and the need to reimagine cyber consciousness
(1.00)365 = 1.00 whereas, (1.01)356 = 37.7
This goes to show how doing nothing at all, versus small yet consistent changes, can bring about unthinkable transformations. The reason I used this example is that it embraces two philosophies I abide by:
- Quantification makes explanations easier
- Consistency is key
Let me extend this example to cybersecurity...more specifically, to the human element of cybersecurity. The IBM Cost of Data Breach Report, 2020 mentions malicious attacks and human errors as the top reasons for cybersecurity lapses across industries.
Not too long ago, Google’s Waymo and Uber were entangled in a messy and meandering lawsuit involving self-driving vehicles and a freshly fired employee. Google’s former employee had transferred more than 14,000 files, including some trade secrets and hardware schematics, from his work desktop to an external drive and wiped his desktop clean.
Ideally, these purloined files’ transfer should have alerted some authorities to take action but they failed to do so until much later, in fact too late.
This is where the factors affecting an organisation’s critical information has a lot to do with the people it hires:
- What they are — Interaction level with customers and clients, executive status, operating critical assets
- What they know — Cybersecurity training received or courses passed/failed, email hygiene, browser usage
- What they have — Number of devices, the status of operating software (updated/ not updated), 2FA, Backups, type of encryption on devices
- What they do — Number of hours of work, large data transfers, accidental/suspicious sharing of critical information, handles sensitive data daily
- And, what they expose — Deep and dark web is scanned for previously breached passwords, hashed or plain text credentials, résumé.
With these dynamic factors at play at multiple levels of an organisation, perhaps even spread across geopolitical boundaries, the basic hurdle of the human element of cybersecurity is the lack of a standardised metric for comparison.
Even an abstract concept such as the intelligence of a person can be quantified in the form of an Intelligence Quotient (IQ), then why can we not quantify every employees’ cyber consciousness?
For several years now, we have been training employees with quarterly sessions, but have we ever quantified the risk they posed before the training and correlated the changes in their cyber hygiene afterwards? The journey to inculcate cyber consciousness is never-ending but it can begin with a simple step of quantification.
Quantification is the first step in establishing a semblance of control over those who work for you but a point-in-time analysis is as good as not doing one.
With hybrid work environments becoming the new norm, the quantification in the form of scores between 0 to 5 for all employees across teams and locations have to be available at all points in time, perhaps on a virtual dashboard.
This would enable the security team to be on top of each employee’s and department’s cyber risk posture in real-time — allowing them to focus on people who need explanation or guidance. Any suspicious activity — malicious or accidental — immediately reflects as a drop in the score of an employee’s IP and therefore that of the enterprise, alerting the security team. This automatically converts an organisation’s cyber risk posture from a defensive to a proactive approach.
The new way of working will be from home and it is here to stay. McAfee reported that 51 percent of people believe that they will continue to work remotely even after social distancing norms have been lifted. This means they will be handling sensitive and enterprise-critical data from previously un-secured perimeters. Your SecOps team has to cater to these adaptations too, and sometimes following through becomes difficult. They too are human.
As the constant tussle between the good and the bad continues, humans will have a more critical role to play in the defence of their organisation rather than its downfall, which has unfortunately been the case till now. This will change soon. Quantification and cyber consciousness go hand in hand.
Dr Larry Ponemon said “When companies had an insider threat, they were more costly than external incidents. This is largely because the insider that is smart, has the skills to hide the crime for months, for years, sometimes forever."
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)