The success (or failure) of a company to protect digital data is a window into the soul of cybersecurity today.
Why do bad things happen or not happen?
Everyone– from grandma to Oscar winners to major corporations– has become high-value targets for cyber criminals.
Whether it’s the recent Experian breach that may eventually impact over half of the citizens of the United States, WannaCry sweeping computers around the world, wire transfer fraud, a data leak, or the U.S. elections, it translates down to one thing: cybersecurity is fundamentally broken for everyone, large and small, and you see it highlighted in the headlines.
When it comes to the organization you work for, chances are the founders did not say to themselves, “I’m so passionate about this particular customer and their needs- but first, I should spend all my budget on security.”
The first thing executives have to do is decide the cost benefit analysis of spending that type of investment on a cyber incident or event that may never happen. But spending money doesn’t make the risk completely go away. Putting the money towards security means they cannot spend it on R&D, marketing or improving the customer experience. Often the executives look for a best practices checklist, implement it, and then move on feeling they have done enough. Sound familiar?
In spite of following the checklist, bad things still happen
Following checklists didn’t stop WannaCry or Petya (- NotPetya) from spreading, HBO from getting hacked, or help Twitter, Netflix and Amazon during the scary hours of Friday, October 21, 2016, when we realized the internet was slowing down and in many cases, not available at all. What was the cause of the slow down of the internet last year? Weaponized baby cams and other internet of things devices. It was on that fateful day, the Marai Botnet attack hit Dyn. Dyn, a cloud-based Internet Performance Management company was the target of a disruptive Distributed Denial of Service (DDoS) attack. The attack directed networked devices to route traffic at the Dyn’s Domain Name Servers (DNS). As a result, Dyn could not respond to the flood of DNS requests and consumers could not reach web sites. It was the biggest, baddest DDoS attack ever…at least until the next time.
We faced similar challenges at the White House. The pivotal moment for me that shifted how I design a security strategy started at the Executive Office of the President, the White House. The security at the White House could not be just about boxes, servers, oppressive end user policies, and blinking lights in the Security Operations Center, security at the White House came down to the people who served at 1600 Pennsylvania Avenue, across America, and abroad. We knew we had to address the hearts and minds of the staff if we wanted to protect their privacy and security. After all, if solving cyber security and privacy issues were as simple as following security best practices, we would all be safe. It’s not that simple.
Two key questions came to me the first 90 days at the White House and I had to answer them or we would have had a major calamity:
- Why, in spite of talented security teams and investments on security, do breaches still happen? and
- Why is it, that despite hours and hours of boring computer based training and security campaigns, we still make mistakes and click on links?
The responsibility to fight or follow up on a cybercrime rests squarely on your shoulders. If we want to solve this problem, we have to rethink how we deliver security. The current approach to people, process and technology are built around protecting old digital routines from magnetic strips on the cards (circa 1970s) to a better mousetrap for “user ID and passwords” (circa 1970s-80s) to protecting email accounts (circa 1990s). Taking incremental steps in cybersecurity technology and privacy will keep us further behind in countering the threat environment. We must critically re-examine how we assess our security technology, procedures, and methodology to fully understand the full scope of risk we bear daily and to determine the best course of action to mitigate this risk.
Executives and security teams are always asking me, “Why do users click on attachments?” I believe the better question is, “Why do we design the security assuming our users will follow all the rules?”
We have zero empathy when it comes to the way security is designed — we must move to a high empathy system. After all it’s all about design! You need to design your applications to assume that your users will do everything wrong — they will share passwords, they will forget them, and they will do unsafe things to get their jobs done, such as use free, insecure WiFi.
We had to protect our digital assets at the White House, but we also were responsible for enabling them to do their jobs effectively by supporting them with technology. With each design step and new policy, ask yourself, “Can security in this instance be more of a warm hug around the user, versus an impediment to getting their job done?”
Even if you can’t design for the human, keep track of how many times you have zero or negative empathy for your customers, — you will be surprised. In my years of experience, rest assured, the places where you have zero or negative empathy for the user, are those places where they will have to create work around to get their job done under extreme deadlines. It’s in those design failures and human flaws that you lose line of sight of your data and your organization is vulnerable and completely blind to the issue.
To make the evolutionary change we need to incorporate the following scenarios:
- Understand and educate the knowledge of human nature and psyche into the development teams and the overall cyber security profession;
- Incorporate that knowledge into the design and implementation of all our systems;
- Innovate cyber security technologies and policies that account for insecure human behaviors and incentives; and unless we do so, our privacy and security will perish.