When it comes to cybersecurity, your company is only as protected as your people are loyal. I’ve preached more times than I can count that you can put all the tech you want into place, but you cannot stop human behavior.
Technical tools are only a way to facilitate the human element because the truth is, people will be your organization’s greatest threat or its greatest source of protection. Protecting your organization from threats begins and ends with a culture of responsibility that unifies human and tech support.
Start with Company Culture
Creating a secure culture starts with gaining employee buy-in and helping internal stakeholders understand the company’s vulnerabilities. Most companies don’t realize that it’s everyone’s responsibility to keep the organization secure, not just the IT department. The traditional approach of the IT department versus everyone else creates a negative interaction, which can harm overall security. Information technology should serve more of a human support function to work harmoniously and ensure that the company is secure. It’s everyone’s responsibility to maintain the security of the organization.
Unless we begin teaching our people to identify human threats within the organization, the cybersecurity landscape is incomplete and lacks a full circle of protection. It’s essential to educate employees on the kind of emails they shouldn’t open or the data transfers they shouldn’t be making because, more often than not, it’s not something they’re doing maliciously. They simply don’t know that what they’re doing could immeasurably harm their organization.
Although, there is also the nefarious angle in which to be on the lookout.
Threat Actor Profiles
There are five threat actor profiles to consider, and each one has its own motivation and approach to infiltrating an organization’s infrastructure or network. Therefore, it’s important to recognize their goals to better thwart their attacks.
The most common actors are insider threats. These are your employees that are looking for opportunities to steal from your organization. Most often, they are motivated by financial needs or other external pressures. These are the kinds of threats that can potentially be avoided with a positive company culture and a standard for treating and compensating your employees well. Basically, loyalty is a two-way street, and you don’t want to alienate your best line of defense against cyber threats.
However, once an employee has made the determination that stealing from the company is their only way out, there’s no effective way to help them climb out of their situation. In fact, to protect the organization’s assets, you will have to terminate them immediately or face losing a significant amount of money that may impact the rest of your employees.
Nation States are the next kind of threat actor. We’ve been seeing this in the news for years now; countries attacking each other through cyberwarfare to create unrest, influence elections, and more. The motivation is geopolitical destabilization. But keep in mind that it’s still people behind the keyboard; these actions are not a bot behind smoke and mirrors. There is a human element involved in making these attacks a reality.
The third kind of threat actor is organized crime groups. These are your criminal elements taking advantage of other people to obtain data and sell it on the dark web. They usually deal with money exchange, and their motivation is to make a profit while taking advantage of people. They work diligently to gain a foothold inside networks to initiate wire transfers and siphon out money.
Then you have your hacktivists. These are individuals or groups where someone uses hacking to bring about political and social change. Some of the most widely known hacktivist groups include Anonymous, Legion of Doom, Masters of Deception, and Chaos Computer Club. Their motivation is often ego, and they are viewed as some sort of bully on the playground.
The final actor is the amateur who sees hacking as a hobby or something to figure out for its fun. They are disparagingly referred to as “Script Kiddies” because they rely on existing software to launch hacking attacks. They are motivated by curiosity and enjoy challenging themselves to attack computer systems and networks.
The Human Element of Surveillance
Using technology as a surveillance tool is important for flagging potential threats, but the human element is required to determine whether that potential threat is legitimate or not. For example, if an alert is received indicating someone has used the word resume, the technology will assume that the employee might be looking for a new job. However, there could be a very simple explanation, such as your Human Resources employee reviewing resources or the word is being used in a different context. A person should be the final word on intention, not the software.
Another example may be an employee suddenly begins printing a significant number of pages on the office printer. This behavior may be out of the ordinary for this employee, which could signify they’re poaching client lists or proprietary information. Although, this could also simply be a case of them preparing for a presentation. A human being needs to be the one critically examining the data to determine whether there is a legitimate threat or not.
Cybersecurity is not only about tech. It begins and ends with people–the tech is in the middle. You need to create a secure culture within your organization that unifies human support and tech support. The human element can either be your organization’s greatest threat or greatest source of protection.