People and Cybersecurity 

  • Security is about human behaviors and psychology
  • Most feel cybersecurity is a technical issue (its not)
  • Posters and videos from IT are not how people learn
    • IT often doesn’t understand how people function
    • HR and/or marketing should also play a role
  • People are the first line of defense 
  • Restrictive security policy is logical but…
    • Impedes innovation and productivity (e.g. PEN testing too often)
    • Frustrates users (e.g. airgaps)
    • Leads to complacency
    • Exacerbates security (i.e., changing passwords too frequently)

Cybersecurity can only ever be
as strong as its weakest link

 

Biggest vulnerabilities of a system is usually
NOT the hardware or software 


People are often the weakest link
with human error the biggest challenge

2 silver chains being held together by a red paper clip that is starting to bend out. Showing the weak link.

Human Firewall

Change perspectives 

Change from...

infrastructure-centric security focused 
on generic group policies to...

 


... human-focused, user-centric security that
focuses on users behavior and intent

 

Simplify security 

  • Reduce complexity and friction – “shadow IT” and Post-it notes
  • Balancing security requirements with usability
  • Security policy based on user-centric factors, context and controls

Redefine “Insider threat”

  • Not just rogue or disgruntled employees intentionally performing malicious acts
  • Insider threat is also due to employee ignorance and negligence
  • Contractors, vendors, suppliers, supply chain, channel-partners, and service providers (e.g. lawyers, accountants) and other trusted 3rd parties are also “insiders” 

 

Semi transparent blue shaking hands with cyber mesh lines and dots of light running through them.

Enable trust

  • Trust is healthy and accelerates everything
  • Mistrustful organizations are less productive, capable or creative
  • People cannot function in an atmosphere of persistent uncertainty
  • Multistakeholder trust – cybersecurity needs strong relationships that facilitate information sharing
  • Need to teach people how to trust better for a secure and healthy environment

Communications

 

  • Consistent singular communication process

  • Free from recrimination or holding responsible
  • Fear is human nature – but who is the real bad guy?
  • Don’t enable a hide or try to “fix by yourself” atmosphere
  • Minimizing impact through early detection and rapid response time  

Education and training

    • Training that’s not implemented as a compliance “check box”
    • Help understand the impact on the business
    • Provide immersive learning opportunities
    • Test (i.e., phishing exercise) but sparingly   

 Upgrade people to think securely

 

Resilience is key

Should assume… 

…firewalls will be penetrated
…encryption keys will be compromised
malware deployed in infrastructure

Let us help you change your mindset and address cybersecurity

Cybersecurity