By Miguel Clarke, GRC and Cybersecurity Lead at Armor and former FBI Special Agent
I was first introduced to the concept of cyber security in 2000. Back then, the Dallas FBI Field Office had fewer than 25 email addresses, which were for the exclusive purview of the Cyber Squad, known at the time as a “National Information Protection Center” or NIPC Squad. To outsiders we were just a bunch of geeks playing with computers.
In reality, we were 12 FBI Special Agents trapped in a desperate tussle to stay ahead of a newly emerging threat, not yet publicly acknowledged. Behind the scenes the United States Intelligence Community was alarmed, coming to terms with the fact that our nation’s enemies were already using networks to make their spies and spying campaigns ever more effective.
In those distant days, the security function was just a collateral duty for information technology teams, who were charged with making sure the technology was available and functioning properly. The modern-day breach had not been widely deployed. ‘Attacks’ took the form of defaced web pages and Denial of Service Attacks. But that was OK, because as soon as the bad guys got ahead, the good guys came back with a solution and saved the day.
The problem is that today’s perception of risk is rooted in that history, a reliance that the good guys, armed with their ‘silver bullet’ technology, will overcome. It gives the modern-day network defender some comfort that reasonable preparations will provide adequate protections. But the issue now is that technology is ubiquitous. We use it for everything, from communication and entertainment, to banking. This reliance on technology has made us more vulnerable to cyber security risks. The attacker now has two vulnerabilities to exploit, the people and the technology. And even the technology designed to protect them from the risk.
But everyone reading this knows the size of the problem. Cybercrime is a six trillion-dollar industry and cyber security is a 200 billion dollar industry. But no matter how much we spend, we are not getting any safer. This has become a problem we can no longer outrun. And, as a business, you cannot spend your way to safety. This is an asymmetrical war.
As an FBI Special Agent, ‘mindset’ was a crucial part of both my training and the way I approached investigations. As humans, our brains are more complex and magnificent than any computer, but I worry that when it comes to risk and cyber security, our reliance on the technological ‘fix’ is stopping us from using them. Bruce Schneier, a public interest technologist, said: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”, and I could not agree more. Somewhere along the line we have forgotten the importance of the human factor, both as a vulnerability and as a solution.
Let’s first examine the human factor as a vulnerability. Most organizations extend high levels of trust and access to their employees and this immediately exposes them to both malicious actions and non-malicious mistakes made by employees. Unfortunately, whilst it has delivered many benefits, our increased connectedness through multiple devices, apps and programs has delivered two things: a greater number of outlets for leaking information and a higher number of people with greater access to critical information.
The human factor is undoubtedly the weakest link in the security of any IT infrastructure. Threats such as Ransomware and Business Email Compromise rely on an exploitation of the human mindset, so ignoring people related risk comes at your peril. Also remember that behind the threat is another human being, capable of manipulative and nuanced behavior, so whilst policies and technology can impede malicious actions, risks cannot be eliminated, because people are inherently unpredictable.
Acknowledging the risk of the human factor means remembering that every technology user in your business must be considered. Risk and cyber security are not the sole domain of your IT department and keeping IT governance and risk management siloed is counterproductive, as hackers are not likely to target the cyber security savvy.
How then, can we turn the human factor to our advantage? We need to make a mindset shift away from threats and vulnerabilities. A risk-based mindset enables a much more useful conversation. It starts with better questions, such as:
- What is the worst that I expect to happen?
- Which assets are the most critical to the business? What are the conditions which would result in a “business-ending” outcome?
- How much can we devote to preventing that outcome?
- What contingencies do we need to have in place to survive that event?
- What resources will we need?
- What does recovery look like and how long will it take?
- How do we capture the lessons we learned so that we can be better prepared for future events?
This is just a sample of the questions resilient organizations will use to start more meaningful conversations. Next in line is developing a focus on building the skills needed to observe, understand, and remediate significant events across the board. Really? Yes. Keeping risk conversations behind closed doors helps nobody. Instead, consider forming a multi-disciplinary team, including IT, HR and comms to discuss potential risks and to communicate and educate the wider business.
We should establish a culture of cyber security and risk awareness within every organization. This culture should prioritize cyber security as a key business priority and encourage employees to report security incidents or potential threats. It should also promote a sense of ownership and accountability among employees for the security of the organization’s data and assets.
The right mindset combined with the commitment to building relevant skills with sophisticated tools is the path to resilience. Resilience is the antidote to the growing cybercrime economy. When fully matured, there will be no more “victims” of cybercrime. There will only be combatants.
About the Author
Miguel Clarke is the GRC and Cyber Security lead for Armor Cybersecurity. He spent nearly 24 years as a Special Agent with the FBI, where he was a founding member of the National Cyber Investigative Joint Task Force and the Defense Collaborative Information Sharing Environment. He was awarded a NIMUC (National Intelligence Meritorious Unit Citation) for contributions to the United States Intelligence Community