In his 1711 “Essay on Criticism,” the British poet Alexander Pope wrote, “To err is human; to forgive, divine.” Putting the latter aspect of this phrase aside, Pope expressed succinctly what every single human being knows: that we humans are fallible, prone to mistakes. This applies as much today as it ever did, not least when it comes to cybersecurity.
The idea that most cyber-attacks are caused by inadvertent user error or compromised intent is borne out by the 2017 Verizon Data Breach Report, which found that:
- 81% of hacking-related breaches leveraged weak, stolen or compromised credentials. With over one billion credentials stolen in 2016, stolen or compromised credentials was a leading security vulnerability
- 43% of breaches started on social media, which demonstrates how effective social engineering has become in a bad actor’s toolkit
- One in 14 users (in an average company with more than 30 employees) fell for a phishing scam by clicking on an unverified link or downloading a suspicious attachment; one of four of these victims ended up being tricked a second time.
The whys do matter
A worldwide Information Security Forum survey found that most disastrous breaches came from accidental or inadvertent behaviours by loyal employees who had no intention of harming their organization. It is all fine and good that Joe Employee didn’t mean to throw wide open his company’s doors to hackers; unfortunately, the road to security hell is paved with good intentions, and hackers tend not to care whether their targets approve of or condemn their work.
Cybercrime costs are projected to reach a mind-shattering $2 trillion by 2019. While this may not necessarily mean the “bad guys” are winning, it certainly suggests they are on a roll. What is needed, then, is a smarter approach: a people-first approach.
“The Human Point”
Forcepoint, which is working hard to transform cybersecurity by focusing on people’s behaviour and intent as they interact with critical data and IP wherever it resides, presents “The Human Point,” which contains a three-pillared approach to protecting employees, critical business data and intellectual property:
Technology Alone is Insufficient – According to Gartner estimates, worldwide spending on information security is expected to hit $90 billion in 2017 and exceed $113 billion by 2020. Despite new cybersecurity investments, serious breaches continue to rise as critical business data and intellectual property is scattered. The concept of a network has shifted, and now includes everything from consumer social applications to hosted cloud infrastructure and employee-owned devices. The industry is stuck in a cycle of developing point products to address these new waves of threats.
People are the Constant – Threats continually evolve, and technologies come and go, but people are the constant. People are at the center of today’s most publicized security incidents, and they can undermine even the most comprehensively designed cybersecurity systems in a single malicious or unintentional act. Focusing our efforts on protecting the cyber behaviors resulting from human interaction with information technology and critical data is an opportunity to make a profound impact on security, and safeguard our critical data and intellectual property while maximizing our investments.
Cyber Continuum of Intent – The Cyber Continuum of Intent is model that describes the relationship between people (including employees, partners, and contractors) and the motivations behind observed cyber actions. It groups insiders into three types — accidental, compromised and malicious; people can move in and out of these categories at any given time due to a number of factors such as security awareness, attention to detail, fatigue, or job satisfaction. If companies understand behavior and intent, they can better protect their employees, data, and overall enterprise.