At Snow, we’ve been talking a lot recently about the need to put people at the heart of IT rather than focus on the technology. This is something that has always been at the core of what we do – whether it’s been about making our products easy for our customers to use, or about providing insights that help the people who make business decisions do so more effectively. Recently I was asked what we thought the biggest security threat would be in 2020, and while I thought the answer was obvious, I fully admit I’m not a security expert - so I enlisted the help of my colleagues Rob Price and Igor Andriushchenko. It turns out they agreed – about both the problem and the solution. The answer probably won’t surprise you - it’s people.
For many security professionals this has always been the case – and the reason for their reluctance to transition from the command-and-control approach of prevention to ‘people-centric security’ with the focus on education and ‘detect and respond’. A recent tweet from @SwiftOnSecurity makes the point in a slightly unconventional way (although this is something that has probably crossed the mind of most security professionals in the course of their career).
As the number, range and complexity of possible security exploits increases (an inevitable consequence of the increasing complexity of technology and the speed at which new products are emerging into the market or being updated), we become more and more reliant on individual end-users to be vigilant and spot phishing attempts or notice when their accounts have been compromised. At the same time, these end-users are under increasing pressure to be more productive and creative and are experimenting with new technologies that might give them a competitive advantage but may not be fully integrated into organisational IT (or even known about by the IT teams). This is certainly part of the reason behind the huge growth in the security education industry.
While giving technology guardians insight into where people are using technologies that may put people at risk (from unsupported older products to unpatched versions of supported products and open data shares) can help target detection and remediation efforts, we should also consider how we can drive accountability for security to the individual. As the tweet quoted above points out, “Users don’t just download malicious files for fun. They’re trying to do SOMETHING.”
“Users don’t just download malicious files for fun. They’re trying to do SOMETHING.”
We believe it is important to think about people as part of the solution as well as the problem (back to the ‘people-centric security’ approach) – after all, the something they are trying to do is usually for the benefit of our organisation. If we can educate end-users about the impact of their activities, not just through generic ‘security awareness’ education, but by providing them (or their line managers, leaders and executives) with the technology intelligence that gives them visibility and insight into the potential impacts of their activities, then they will be in a position to make better decisions.
While making end-users more accountable sounds great, it’s only part of the solution. IT organisations should ensure that they patch the vulnerabilities they know about… and don’t wait until there’s an exploit. SC Magazine reported earlier this year that “over 80% of IT systems feature unpatched CVE vulnerabilities”– something that is relatively straightforward (if time consuming) to remedy in most organisations. Although as Rob pointed out “Without automation, it’s impossible for security teams to assess threats and prioritise remediation for vulnerabilities within the applications they know about, let alone these ‘little surprises’ the user base drops on them daily.” If the system can’t be patched (due to business criticality or safety issues) then additional security measures need to be taken to ensure that known vulnerabilities don’t put people at risk.
Igor told me that “getting visibility into the technology estate is the key to flagging and mitigating the risks before they become nightmares. In the modern world, vulnerabilities in software products are mitigated swiftly, the deployment of the patched versions to end users, however, takes time. Some never get updates – they are much more likely to become victims of ‘bad guys’.
“Organizations need to continuously educate people but also be prepared that people’s defence will eventually get breached. After that, it all relies on the latest patches being in place, and if that fails - smart detection of adversarial events.
“Knowing which SaaS solution and endpoints users’ access can be crucial in the detection of a potential data breach – if a payroll administrator or CFO starts dropping files to Pastebin, there is a chance something phishy going on…”
Putting humans, rather than technology, at the heart of IT is the only real way to deal with the range and complexity of the cybersecurity threats that we’re facing.